Update: You can now deploy this using KubeSail!
We can't deny Kubernetes is a great container scheduler and orchestrator, but before then it was nigh impossible to run anything that needs privileges. Fast forward to today, we can now run a VPN inside a container (thank you WireGuard).
Since Kubernetes 1.18,
securityContext is a stable feature, so the usual docker args such as
--cap-add is now possible. And since that is now possible, why not run a VPN inside Kubernetes?
For this lab, we're using the following:
K3s v1.18. This can be run on your Raspberry Pi or use a hosted solution like the ones from our friends at Civo.
The Mysterium dVPN. Mysterium dVPN comes with OpenVPN, noop, and WireGuard preinstalled for you. In addition, you can also share the VPN to your friends and set a meager fee so you can earn while it's being used.
A VM that allows us to use
NET_ADMINcapability in the Kubernetes security context. You'll need
NET_ADMINto run iptable rules and setup tunnels.
First of all, let's connect to your cluster. Assuming you're running your stuff locally you can get the Kubeconfig from
/var/lib/rancher. If you're using Civo or any other provider, you need to grab the Kubeconfig from the dashboard.
Once you have the Kubeconfig, feel free to point your
kubectl to your Kubeconfig, but for the sake of simplicity, I will be using Mirantis Lens.
We would want to configure the deployment we will be using next this time. I took the liberty to set up this for you.
This example deployment file does the following:
Create a Pod with privileged status and the
NET_ADMINcapability. This allows our pod to set it's own network rules inside the host it will be scheduled in.
Create a Service for the Mysterium Node Frontend. This is required for you to finish the rest of the setup.
Create a PVC which will contain your configurations.
Create a Ingress using the default Traefik ingress for K3s and run it under whatever domain you put it.
Configure this according to your liking but this is the bare minimum setup you will want to go with. If all goes according to plan, it should deploy properly.
So when you check your Pods, our small little node should be setup!
Let's log in to your Mysterium Frontend and set up the rest of the node, the default credentials is
myst for username and
mystberryfor the password. Change this immediately.
Head over to settings and set your ERC-20 ETH Address and E-mail. Setting these would allow payments to your VPN go through that wallet, and the email will let you to send bug reports to the Mysterium developers should you encounter issues.
With all that set up, Go to Statistics and connect to your VPN using the ID provided there. If all goes well, all three providers are available for you, which is OpenVPN, noop, and WireGuard.
The Mysterium client will decide by its own which is the more efficient protocol based on where you are, so don't worry about which protocol to use.
With that all set, download the Mysterium dVPN client and browse away!
Today we have learned that we can run any kind of VPN in Kubernetes as long as our nodes allow us to use
NET_ADMIN capability and it's packaged accordingly.
Now you have a VPN set up, go ahead and share it to your friends and family using the Provider ID provided on Statistics for your node! You may run it without cost or run a recurring fee, just set it on your Settings.