homelab icon indicating copy to clipboard operation
homelab copied to clipboard

Published 20 hours ago verified publisher icon khuedoan

[Feature request] Add VPN egress

Open umbertix opened this issue 1 year ago • 2 comments

Hi, amazing project I just found and I was wondering if anyone has managed to setup an egress policy for some specific services through a VPN. I'm not sure that the cloudflare VPN setup is really though with this idea.

I'm still trying to understand if this is even possible, but ideally I would like for example any traffic going OUT of transmission to go through another pod that is a VPN client, like gluetun but any internal tràfic like sonar to be treated normally.

Thanks again for the project, I will take a look myself in the coming weeks if no one gets to it before I have some time.

umbertix avatar Feb 06 '24 22:02 umbertix

Hi, I haven't tried it yet, but this sounds like it could be done by setting up a Cilium egress gateway and a VPN sidecar?

Also if you only need to set it up for Transmission to download totally legal content (like Big Buck Bunny :wink:), perhaps a VPN sidecar for it would be simpler than an egress gateway :thinking:

khuedoan avatar Feb 08 '24 16:02 khuedoan

The egress gateway or any other method only makes sense if you have multiple pods needing VPN.

I tried to play with Cilium egress gateway, but with my lack of cilium knowledge I couldn't get working.

To my understanding the egress gateway directs pod traffic to a specific node's host network interface/IP (which is intended to route legacy services into the cluster). I couldn't get it to link back into Cilium and to a cluster IP. If you can figure it out that would be wonderful. It would work if you had a VPN interface running on the host of one node (not in the kubernetes cluster) or a VPN client on a router or another device.

Alternatively you can run gluetun with a socks5-server sidecar. Connect that up to any clients (torrent or prowlarr).

pandabear41 avatar Feb 09 '24 07:02 pandabear41

Thanks for the pointers, I ended up having a container running next to the one's that needed VPN connectivity with something like:

        - name: gluetun
          image: ghcr.io/qdm12/gluetun # Optionally you can use the "qmcgaw/gluetun" image as well as specify what version of Gluetun you desire
          imagePullPolicy: Always
          securityContext:
            capabilities:
              add: ["NET_ADMIN"]

Thanks, I'll see if at some point I can get a PR for this :)

umbertix avatar Mar 10 '24 11:03 umbertix