I’m using GKE for deployments.
Edit: I need to access a customer’s API endpoint which is only accessible when using their VPN. So far I can run a container which connects to this VPN and I can cURL the endpoint successfully.
For the above, I have configured a Debian docker image which successfully connects to a VPN (specifically, using Kerio Control VPN) when deployed. Whenever I make a net request from this container, it runs through the VPN connection, as expected.
I have another image which runs a .NET Core program which makes necessary HTTP requests.
From this guide I know it is possible to run a container’s traffic through another using pure docker. Specifically using the --net=container:something
option (trimmed the example):
docker run
--name=jackett
--net=container:vpncontainer
linuxserver/jackett
However, I have to use Kubernetes for this deployment so I think it would be good to use a 2-container pod. I want to keep the VPN connection logic and the program separated.
How can I achieve this?
3
Answers
Each container in pod have shared network resources. If you run vpn client in one container them all containers in this pod will have access to network via vpn.
Based on your comment I think I can advise you two methods.
In this setup, you should you use
Private GKE cluster
withCloudNAT
for external communication. You would need to to use manual externalIP.This scenario is using specific
externalIP
for VPN connection, but it’s required from your customer towhitelist
access for this IP.You can configure your VPN to forward packets to your cluster. For details you should check other
Stackoverflow threads
:I’m using a similar approach. I have a Django app for whose static files to be served files I need nginx. I want the app to be accessible through VPN for which I’m using OpenVPN.
Both the
nginx
container and thedjango
container are in the same pod. My limited understanding is that it would be enough to run VPN in the background in the nginx container and it should successfully route requests to the backend usinglocalhost
because they’re in the same pod.But this doesn’t seem to be working. I get a
504 Time-Out
in the browser and the nginx logs confirm that the upstream timed out. Have you done anything extra to make this work in your case?