Lab 07: VPN Connection Between OKS and a VM Network
Lab Objectives
Section intitulée « Lab Objectives »By the end of this lab, you will be able to:
- Create an IPsec VPN connection from an OKS cluster
- Understand the role of the following components:
- Virtual Gateway
- Client Gateway
- VPN Tunnel
- Configure a StrongSwan VPN client on the VM side
- Test connectivity OKS Pod ↔ VM through the VPN tunnel
Environment Preparation
Section intitulée « Environment Preparation »Before starting this lab, make sure you have the following:
-
An OKS cluster.
👉 Click here to access the OKS cluster creation lab if not already done. -
A virtual machine (VM) in a private network, hosted in another NET.
👉 Click here to access the VM creation lab in a private network if not already done.
Creating the VPN Connection from the OKS Cluster
Section intitulée « Creating the VPN Connection from the OKS Cluster »The VPN connection is created using a custom Kubernetes resource of type VpnConnection.
This resource allows OKS to automatically configure:
- a Virtual Gateway
- an IPsec VPN connection
- automatic generation of the pre-shared key (PSK)
- storage of the VPN client configuration
Step 1: Create the VpnConnection resource
Section intitulée « Step 1: Create the VpnConnection resource »Create a file named vpn-connection.yaml with the following content:
apiVersion: oks.dev/v1betakind: VpnConnectionmetadata: name: oks-vpnspec: publicIp: <VM_PUBLIC_IP> bgpAsn: 65000 staticRoutesOnly: true vpnRoutes: - 10.10.0.0/16 clientGatewayConfigurationStorage: namespace: default configMapName: oks-vpn-config secretName: oks-vpn-secretDescription of main fields
Section intitulée « Description of main fields »-
publicIp: public IP address of the VM acting as the Client Gateway
-
bgpAsn: ASN number used to identify the client gateway
-
staticRoutesOnly: indicates that routing is static
-
vpnRoutes: CIDR range of the remote network (VM network)
-
clientGatewayConfigurationStorage:
- defines where OKS stores the VPN client configuration
Apply the configuration to the OKS cluster:
kubectl apply -f vpn-connection.yamlCheck VPN Connection Status
Section intitulée « Check VPN Connection Status »After creating the resource, verify that the VPN connection is properly registered by OKS:
kubectl get vpncExample expected output:
NAME VPN CONNECTION ID VPN CONNECTION STATE VGW PUBLIC IP TUNNEL STATE TUNNEL STATE DESCRIPTIONoks-vpn vpn-2210a74d available 142.44.58.83 DOWN IPSEC IS DOWNResources Automatically Created by OKS
Section intitulée « Resources Automatically Created by OKS »After creating the VpnConnection resource, OKS automatically creates two Kubernetes objects in the target namespace:
- a Secret storing the pre-shared key (PSK)
- a ConfigMap storing the Client Gateway configuration (Virtual Gateway IP, tunnel parameters, etc.)
Secret: PRE_SHARED_KEY (PSK)
Section intitulée « Secret: PRE_SHARED_KEY (PSK) »The oks-vpn-secret Secret contains the pre-shared key used for IPsec authentication between the Client Gateway and the OKS Virtual Gateway.
Display the Secret:
kubectl get secret oks-vpn-secret -o yamlRelevant excerpt:
data: PRE_SHARED_KEY: XXXXXXXXXXXXXXXXXXXXkind: Secrettype: Opaque- The value is encoded in Base64.
- This key must be used on the VM side when configuring StrongSwan.
ConfigMap: Client Gateway Configuration
Section intitulée « ConfigMap: Client Gateway Configuration »The oks-vpn-config ConfigMap contains all the parameters required to configure the VPN client.
Display the ConfigMap:
kubectl get configmap oks-vpn-config -o yamlMain field:
data: CGW_CONFIGURATION_JSON: '{...}'This JSON includes:
-
the Client Gateway ID
-
the Virtual Gateway ID
-
the public IPs of VPN endpoints
-
the internal tunnel IP ranges
-
IKE and IPsec parameters:
- encryption algorithms
- authentication
- lifetimes
- DPD (Dead Peer Detection)
- Perfect Forward Secrecy
Configuring the Client Gateway (StrongSwan) on the VM
Section intitulée « Configuring the Client Gateway (StrongSwan) on the VM »In this step, we configure the VM to establish the IPsec VPN tunnel with the OKS Virtual Gateway, using the information provided in the ConfigMap and Secret.
Retrieve the pre_shared_key (PSK)
Section intitulée « Retrieve the pre_shared_key (PSK) »The pre-shared key is stored in the oks-vpn-secret Secret in Base64 format.
Retrieve the key:
kubectl get secret oks-vpn-secret \ -o jsonpath='{.data.PRE_SHARED_KEY}' | base64 -dSave this value: it will be used in the StrongSwan configuration.
Identify VPN tunnel parameters
Section intitulée « Identify VPN tunnel parameters »From the oks-vpn-config ConfigMap, identify the following:
- the Virtual Gateway public IP
- the Client Gateway public IP
- the internal tunnel IP ranges (
169.254.x.x/30) - the IKE / IPsec cryptographic parameters
These values are located in the CGW_CONFIGURATION_JSON field.
Configure StrongSwan
Section intitulée « Configure StrongSwan »👉 Click here to access the StrongSwan installation and configuration lab
Verify Tunnel Status on OKS Side
Section intitulée « Verify Tunnel Status on OKS Side »Return to the OKS cluster and check the VPN tunnel status:
kubectl get vpnc oks-vpn
# OutputNAME VPN CONNECTION ID VPN CONNECTION STATE VGW PUBLIC IP TUNNEL STATE TUNNEL STATE DESCRIPTIONoks-vpn vpn-2210a74d available 142.44.58.83 UP IPSEC IS UPTest Connectivity
Section intitulée « Test Connectivity »Deploy a test pod in the OKS cluster:
kubectl run vpn-test-pod \ --image=alpine \ --restart=Never \ -it -- shFrom the pod, test connectivity to the VM:
ping <VM_PRIVATE_IP>If the configuration is correct, packets should be received:
If you don't see a command prompt, try pressing enter./ # ping 10.1.0.32PING 10.1.0.32 (10.1.0.32): 56 data bytes64 bytes from 10.1.0.32: seq=0 ttl=60 time=2.250 ms64 bytes from 10.1.0.32: seq=1 ttl=60 time=2.112 ms64 bytes from 10.1.0.32: seq=2 ttl=60 time=2.183 ms64 bytes from 10.1.0.32: seq=3 ttl=60 time=2.001 ms64 bytes from 10.1.0.32: seq=4 ttl=60 time=2.031 ms64 bytes from 10.1.0.32: seq=5 ttl=60 time=2.053 ms