VPN Client In One Kubernetes Pod and Other Pods Connect to Internet Through It?

[HarryMuscle]

In Docker, it's pretty straight forward to have one container run a VPN client and have other containers route all internet traffic through it by specifying the VPN container as the network (ie: --net=container:vpn). I'm trying to wrap my head around Kubernetes networking and I'm wondering if such a setup is also possible in Kubernetes. If it is, anyone have any pointers on how, or better yet, know of a tutorial, that would be great.

Thanks,
Harry

 

[HarryMuscle]

Just wanted to bump this to see if anyone has any possible input.

Thanks,
Harry

 

[sretalla]

Look at the options from TrueCharts... they have a container option for VPN for each container. (https://truecharts.org/manual/Quick-Start Guides/12-vpn-setup/#additional-documentation)

You could run traefik with that option and publish other apps via that if it meets your requirements.

 

[masterjuggler]

I'm trying to accomplish the same thing, using the thrnz/docker-wireguard-pia container. I watched the video in quick start guide #12 and can't figure out where the IP in the wireguard config file came from. Is that the IP the VPN in its respective container is connected to? What if the VPN IP address changes constantly due to switching between servers?

From what I understand, if you have multiple docker containers in a pod with one of them running a VPN, they will all share the same network interface. Is there a way to move apps into the same pod as the VPN, or vice versa?

I'm trying to understand how kubernetes actually manages the docker containers, and how they are allowed to interact with each other. This is my first foray into working with kubernetes, and I have no doubt that I have misunderstandings, and I don't know all the right questions to ask. It doesn't help that managing kubernetes, and by extension the underlying docker containers, through cli doesn't seem to be a thing for some reason as kubectl isn't even a recognized command, which makes most online guides useless. Also the hints for pod config options are rather unhelpful because they assume you already know what the options do. Basically I'm asking: where should we be looking for information?

 

[sretalla]

through cli doesn't seem to be a thing for some reason as kubectl isn't even a recognized command

k3s kubectl

 

[masterjuggler]

k3s kubectl

That doesn't actually answer any questions, but thanks.

 

[LarsR]

since scale uses k3s and not stock k8s the command is "k3s kubectl ..." and not just kubectl

 

[truecharts]

I'm trying to accomplish the same thing, using the thrnz/docker-wireguard-pia container. I watched the video in quick start guide #12 and can't figure out where the IP in the wireguard config file came from. Is that the IP the VPN in its respective container is connected to? What if the VPN IP address changes constantly due to switching between servers?

If something isn't clear in the guides, it's best to reach out to our community directly.
As we don't, pro-actively, offer support with the guides here.

Your issues are also not super clear, because our guides are made for TrueCharts only and you reference some other random container which we definately do not use.

While it is technically possible with a LOT of professional-level kubernetes/helm experience to setup (kubernetes native single-container vpn proxying), for example k8s-at-home has done so before, we found that at this stage of development we couldn't add it because we had a hard time making a good design draft for it that ensured stability and GUI compatibility.

However besides that option you should be able to use any HTTP proxy App/container, with the VPN addon using our Custom-App App
That should allow you to connect some Apps to the HTTP proxy. But that's definately byond the scope of what we can offer in terms of active support.

 

[masterjuggler]

@truecharts Your quick start guide was referenced earlier as a possible source of information for routing one pod's traffic through another. I realize that you don't affiliate directly with truenas, and I didn't mean to direct my questions at truecharts specifically. Like the OP, I'm trying to understand in general how to go about this, using kubernetes. The fact that one pod hosts a VPN is somewhat irrelevant. With pure docker, we're able to simply set a --net=container: flag like the OP said. Is there any way to do something similar with kubernetes pods in truenas scale?

I don't yet understand if a container installed from docker hub is put into a pod the same way an app from truenas or truecharts is, so maybe this question is lacking context. From what I can tell, everything that is installed, regardless of the source, is put into its own pod, and every pod holds exactly one docker container. Is this not correct?

 

[truecharts]

@truecharts Your quick start guide was referenced earlier as a possible source of information for routing one pod's traffic through another.

That explains the misunderstanding, because that's not what that guide is about. Nor does the guide go into the technical details that are going on behind the scenes.

The fact that one pod hosts a VPN is somewhat irrelevant.

It's not, because if you just want to have VPN support we have our VPN addon for that, which is one connection per Pod.
The complication stems just from the one-pod solution that is being requested.

I don't yet understand if a container installed from docker hub is put into a pod the same way an app from truenas or truecharts is, so maybe this question is lacking context.

Yeah lets answer that question first: The "Big blue" "Launch Docker" button, is "just another App" behind the scenes. It just exposes more settings to the users and has no defaults set. In that regard our "Custom-App" App, is not much different from the "big blue button" besides the fact it gets updates and is not behind a big button

With pure docker, we're able to simply set a --net=container: flag like the OP said. Is there any way to do something similar with kubernetes pods in truenas scale?

So that gets on this question:
Multiple containers, using the GUI, would mean running multiple Apps. From that point onwards our "linking guide" should mostly suffice and there are a few more explainations elsewhere.

But just to be clear: Our VPN addon does not use multiple pods.

From what I can tell, everything that is installed, regardless of the source, is put into its own pod, and every pod holds exactly one docker container. Is this not correct?

For the "Launch Docker" button: Yes.
But for the other Apps it depends on how the App is designed.

 

[masterjuggler]

It's not, because if you just want to have VPN support we have our VPN addon for that, which is one connection per Pod.
The complication stems just from the one-pod solution that is being requested.

I feel like we may be under different assumptions about use cases, so I want to clarify: The VPN I'm referring to is a service I pay for that offers a limited number of concurrent connections to their servers. I assume this is also what the OP is talking about. In order to accomplish this, we need a client running to create the network interface for the VPN that other programs' traffic can be routed through. In my specific case, this is PIA (private internet access), and I installed the client from docker hub.

If we were already on the same page, then I probably just don't understand what the VPN addon in your apps is meant for. It seems that it's to connect to pods/services on the node from a local machine, or to allow direct communication between nodes (if I'm correct that a node is a single machine hosting truenas).

So that gets on this question:
Multiple containers, using the GUI, would mean running multiple Apps. From that point onwards our "linking guide" should mostly suffice and there are a few more explainations elsewhere.

I apologize if this is incorrect, but I've been using the terms "pod", "container", and "app" entirely interchangeably to mean basically the same thing on a practical level. From what I've read, a docker container is wrapped in a kubernetes pod like the freebsd jails, and truenas is simply calling each pod an app. Maybe it would be clearer if I said that what I'm trying to accomplish is to route one app's network traffic through another, regardless of how that app was installed or the source of the app. At least in the truenas UI, there doesn't appear to be any difference between any of them as they're all just listed as "applications".

As far as linking apps goes, from the video in your quick start guide it seems that this requires support from the programs running in the apps, rather than something that can be set from the app settings panel in truenas or in cli. Is this correct? If so, then I don't think this is the solution for what we're trying to accomplish.

 

[backdoc]

I feel like we may be under different assumptions about use cases, so I want to clarify: The VPN I'm referring to is a service I pay for that offers a limited number of concurrent connections to their servers. I assume this is also what the OP is talking about. In order to accomplish this, we need a client running to create the network interface for the VPN that other programs' traffic can be routed through. In my specific case, this is PIA (private internet access), and I installed the client from docker hub.

If we were already on the same page, then I probably just don't understand what the VPN addon in your apps is meant for. It seems that it's to connect to pods/services on the node from a local machine, or to allow direct communication between nodes (if I'm correct that a node is a single machine hosting truenas).


I apologize if this is incorrect, but I've been using the terms "pod", "container", and "app" entirely interchangeably to mean basically the same thing on a practical level. From what I've read, a docker container is wrapped in a kubernetes pod like the freebsd jails, and truenas is simply calling each pod an app. Maybe it would be clearer if I said that what I'm trying to accomplish is to route one app's network traffic through another, regardless of how that app was installed or the source of the app. At least in the truenas UI, there doesn't appear to be any difference between any of them as they're all just listed as "applications".

As far as linking apps goes, from the video in your quick start guide it seems that this requires support from the programs running in the apps, rather than something that can be set from the app settings panel in truenas or in cli. Is this correct? If so, then I don't think this is the solution for what we're trying to accomplish.

Did you ever get this cleared up? I just built a new server and if I am understanding what you are trying to do, it's what I also had in mind. I have a few docker apps that I had intended to move off some Linux boxes onto my new NAS. But, I also have PIA. One idea that I had was to install a Linux VM, configure it as a VPN gateway and route docker apps through it. I guess I could just create my Linux VM, set it up with PIA with a kill switch, then just install docker on it and any other docker apps. But, since Scales supports dockers, I thought it would be easier on resources to stay with it.

 

[truecharts]

Did you ever get this cleared up? I just built a new server and if I am understanding what you are trying to do, it's what I also had in mind. I have a few docker apps that I had intended to move off some Linux boxes onto my new NAS. But, I also have PIA. One idea that I had was to install a Linux VM, configure it as a VPN gateway and route docker apps through it. I guess I could just create my Linux VM, set it up with PIA with a kill switch, then just install docker on it and any other docker apps. But, since Scales supports dockers, I thought it would be easier on resources to stay with it.

The only VPN solution currently available is ours and we already, quite thoroughly, explained what it can and cannot be used for.

Quote:
"It's not, because if you just want to have VPN support we have our VPN addon for that, which is one connection per Pod."

 

[backdoc]

The only VPN solution currently available is ours and we already, quite thoroughly, explained what it can and cannot be used for.

Quote:
"It's not, because if you just want to have VPN support we have our VPN addon for that, which is one connection per Pod."

Okay. Thanks for the reply. I've been running FreeNAS for probably 10 years (so long I can't remember) and haven't come across TrueCharts until now.

Fwiw, I just installed Scale. I’m still in the planning phase of how I wanted to migrate my old stuff and set my new server up.

 

[picklefish]

If anyone writes a guide on how to do this I will watch, comment, like your video or blog post. My current setup is a single VM with PIA, firewall rules, and services. Would be nice to split them out, but it sounds like recreating my VM is the right way to go atm.

Edit: This is essentially what I want to do: https://docs.k8s-at-home.com/guides/pod-gateway/

 

[truecharts]

Edit: This is essentially what I want to do: https://docs.k8s-at-home.com/guides/pod-gateway/

We are aware of this, but have decided against implementing it, considering it's even more complicated than the current VPN solution people already have problems with.