简单介绍 :
VPN直译就是虚拟专用通道,是提供给企业之间或者个人与公司之间安全数据传输 的隧道,OpenVPN无疑是Linux下开源VPN的先锋,提供了良好的性能和友好的用户GUI。
它大量使用了OpenSSL加密库中的SSLv3/TLSv1协议函数库。
目前OpenVPN能在Solaris、Linux、OpenBSD、FreeBSD、NetBSD、Mac OS X与Microsoft Windows以及Android和iOS上运行,并包含了许多安全性的功能。它并不是一个基于Web的VPN软件,也不与IPsec及其他VPN软件包兼容
官方仓库地址:Kubeapps Hub
客户端下载地址:下载地址
若该网址无法访问,可以到下面的链接进行下载
百度网盘:点击直达 提取码:l0qv
确认集群helm安装正确 1 2 [root@master-dev ~]# helm version version.BuildInfo{Version:"v3.1.0", GitCommit:"b29d20baf09943e134c2fa5e1e1cab3bf93315fa", GitTreeState:"clean", GoVersion:"go1.13.7"}
下载Chart包,修改values.yaml文件 1 2 helm repo add stable https://kubernetes-charts.storage.googleapis.com helm pull stable/openvpn
注意 :如果上述地址无法添加到仓库,可以到微软chart仓库 进行下载
1 2 3 4 5 6 7 8 9 10 11 12 13 14 service: type: NodePort #这里我们没有使用loadBalancer openvpn: OVPN_K8S_POD_NETWORK: "10.244.0.0" # Kubernetes pod network subnet (optional). OVPN_K8S_POD_SUBNET: "255.255.255.0" #这里改成对应的集群的pod地址 persistence: enabled: true storageClass: "nfs-client" #修改成集群的storageClass名称 accessMode: ReadWriteOnce size: 2M
部署并进行验证 1、部署openvpn应用
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 [root@master-dev helm-chart]# helm install my-openvpn openvpn/ NAME: my-openvpn LAST DEPLOYED: Tue Jul 7 14:31:04 2020 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: OpenVPN is now starting. Please be aware that certificate generation is variable and may take some time (minutes). Check pod status with the command: POD_NAME=$(kubectl get pods --namespace "default" -l app=openvpn -o jsonpath='{ .items[0].metadata.name }') && kubectl --namespace "default" logs $POD_NAME --follow LoadBalancer ingress creation can take some time as well. Check service status with the command: kubectl --namespace "default" get svc You set the service type to NodePort, port 32085 will be used on each node. Once the external IP is available and all the server certificates are generated create client key .ovpn files by pasting the following into a shell: POD_NAME=$(kubectl get pods --namespace "default" -l "app=openvpn,release=my-openvpn" -o jsonpath='{ .items[0].metadata.name }') SERVICE_NAME=$(kubectl get svc --namespace "default" -l "app=openvpn,release=my-openvpn" -o jsonpath='{ .items[0].metadata.name }') SERVICE_IP=$(kubectl get svc --namespace "default" "$SERVICE_NAME" -o go-template='{{ range $k, $v := (index .status.loadBalancer.ingress 0)}}{{ $v }}{{end}}') KEY_NAME=kubeVPN kubectl --namespace "default" exec -it "$POD_NAME" /etc/openvpn/setup/newClientCert.sh "$KEY_NAME" "$SERVICE_IP" kubectl --namespace "default" exec -it "$POD_NAME" cat "/etc/openvpn/certs/pki/$KEY_NAME.ovpn" > "$KEY_NAME.ovpn" Revoking certificates works just as easy: KEY_NAME=<name> POD_NAME=$(kubectl get pods -n "default" -l "app=openvpn,release=my-openvpn" -o jsonpath='{.items[0].metadata.name}') kubectl -n "default" exec -it "$POD_NAME" /etc/openvpn/setup/revokeClientCert.sh $KEY_NAME Copy the resulting $KEY_NAME.ovpn file to your open vpn client (ex: in tunnelblick, just double click on the file). Do this for each user that needs to connect to the VPN. Change KEY_NAME for each additional user.
下面整理一下生成clientkey的脚本,这里面的信息就是上面部署完成后输出的信息,需要修改参数KEY_NAME和SERVICE_IP,执行完成后会生成wangwu.ovpn的文件,客户端使用该文件作为连接凭证
1 2 3 4 5 6 7 8 9 10 11 12 $ cat get_clientkey.sh # !/bin/bash POD_NAME=$(kubectl get pods --namespace "default" -l "app=openvpn,release=my-openvpn" -o jsonpath='{ .items[0].metadata.name }') SERVICE_NAME=$(kubectl get svc --namespace "default" -l "app=openvpn,release=my-openvpn" -o jsonpath='{ .items[0].metadata.name }') SERVICE_IP=10.169.68.142 KEY_NAME=wangwu kubectl --namespace "default" exec -it "$POD_NAME" /etc/openvpn/setup/newClientCert.sh "$KEY_NAME" "$SERVICE_IP" kubectl --namespace "default" exec -it "$POD_NAME" cat "/etc/openvpn/certs/pki/$KEY_NAME.ovpn" > "$KEY_NAME.ovpn" $ chmod +x get_clientkey.sh && ./get_clientkey.sh
2、使用客户端验证
将该文件放到OpenVPN安装的目录下,OpenVPN\config连接后能正确获取IP说明安装成功
