The module is not enabled by default in any bundles.

How to explicitly enable the module…

Set the spec.enabled module parameter to true or false in the ModuleConfig/openvpn resource (create it, if necessary) to explicitly enable or disable the module, or use the deckhouse-controller module command in the d8-system/deckhouse pod.

Example of enabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
    kind: ModuleConfig
    metadata:
      name: openvpn
    spec:
      enabled: true
    
  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module enable openvpn
    

Example of disabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
    kind: ModuleConfig
    metadata:
      name: openvpn
    spec:
      enabled: false
    
  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module disable openvpn
    

The module is configured using the ModuleConfig custom resource named openvpn (learn more about setting up Deckhouse…).

Example of the ModuleConfig/openvpn resource for configuring the module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: openvpn
spec:
  version: 2
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.

Parameters

Schema version: 2

  • settings
    object
    • settings.auth
      object

      Options related to authentication or authorization in the application.

      • settings.auth.allowedUserGroups
        array of strings

        An array of user groups that can access the OpenVPN admin panel.

        This parameter is used if the user-authn module is enabled or the externalAuthentication parameter is set.

        Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.

      • settings.auth.externalAuthentication
        object

        Parameters to enable external authentication based on the NGINX Ingress external-auth mechanism that uses the Nginx auth_request module.

        Note! External authentication is enabled automatically if the user-authn module is enabled.

        • settings.auth.externalAuthentication.authSignInURL
          string

          The URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).

        • settings.auth.externalAuthentication.authURL
          string

          The URL of the authentication service. If the user is authenticated, the service should return an HTTP 200 response code.

      • settings.auth.whitelistSourceRanges
        array of strings

        The CIDR range for which authentication to access the OpenVPN is allowed.

    • settings.externalHost
      string

      An IP address or a domain clients use to connect to the OpenVPN server.

      By default, data from an openvpn-external service are used.

    • settings.externalIP
      string

      The IP address of a cluster node to connect OpenVPN clients.

      It is only required if the ExternalIP inlet is used.

    • settings.externalPort
      integer

      The port to expose on the externalIP or load balancer.

      Default: 5416

    • settings.highAvailability
      boolean

      Manually enable the high availability mode.

      By default, Deckhouse automatically decides whether to enable the HA mode. Click here to learn more about the HA mode for modules.

    • settings.hostPort
      integer

      Port to connect to the OpenVPN server, which will be available on the node where it is scheduled.

      The parameter is available when selecting inlet HostPort.

      Default: 5416

    • settings.https
      object

      What certificate type to use with the OpenVPN admin panel.

      This parameter completely overrides the global.modules.https settings.

      • settings.https.certManager
        object
        • settings.https.certManager.clusterIssuerName
          string

          What ClusterIssuer to use for the OpenVPN admin panel (currently, letsencrypt, letsencrypt-staging, selfsigned are available; also, you can define your own).

          Currently, letsencrypt, letsencrypt-staging, selfsigned are available. Also, you can define your own.

          Default: "letsencrypt"

      • settings.https.customCertificate
        object
        • settings.https.customCertificate.secretName
          string

          The name of the Secret in the d8-system namespace to use with the OpenVPN admin panel (this Secret must have the kubernetes.io/tls format).

          Default: "false"

      • settings.https.mode
        string

        The HTTPS usage mode:

        • CertManager — the OpenVPN admin panel will use HTTPS and get a certificate from the ClusterIssuer defined in the certManager.clusterIssuerName parameter.
        • CustomCertificate — the OpenVPN admin panel will use the certificate from the d8-system namespace for HTTPS.
        • Disabled — in this mode, the OpenVPN admin panel works over HTTP only.
        • OnlyInURI — the OpenVPN admin panel will work over HTTP (thinking that there is an external HTTPS load balancer in front of it that terminates HTTPS traffic). All the links in the user-authn will be generated using the HTTPS scheme. Load balancer should provide a redirect from HTTP to HTTPS.

        Allowed values: Disabled, CertManager, CustomCertificate, OnlyInURI

    • settings.ingressClass
      string

      The class of the Ingress controller used for the OpenVPN admin panel.

      By default, the modules.ingressClass global value is used.

      Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

    • settings.inlet
      string

      The way the connection is implemented.

      The following inlet types are supported:

      • ExternalIP — when there are nodes with public IPs. It is used together with the externalIP parameter.
      • LoadBalancer — for all cloud providers and cloud-based placement strategies that support the provision of LoadBalancers.
      • HostPort — the port of the OpenVPN server will be available on the node where it is scheduled. The port can be configured in the hostPort parameter.
      • Direct — for non-standard cases. You need to create a service called openvpn-external in the d8-openvpn namespace. It will route traffic to the Pod with the app: openvpn label to the port called ovpn-tcp (or just 1194). This service provides the externalIP, the IP address of the balancer or its host. If none of these are present, you need to specify the externalHost parameter.

      Allowed values: ExternalIP, LoadBalancer, HostPort, Direct

    • settings.loadBalancer
      object

      A section of optional parameters of the LoadBalancer inlet.

      • settings.loadBalancer.annotations
        object

        Annotations to assign to the service for flexible configuration of the load balancer.

        Note that module does not take into account the specifics of setting annotations in different clouds. If annotations for the provision of the load balancer are only used when the service is being created, then you need to restart the module (disable/enable it) to update them.

      • settings.loadBalancer.sourceRanges
        array of strings

        A list of CIDRs that are allowed to connect to the Load Balancer.

        The cloud provider may not support this option or ignore it.

    • settings.nodeSelector
      object

      The same as in the Pods’ spec.nodeSelector parameter in Kubernetes.

      If the parameter is omitted or false, it will be determined automatically.

    • settings.pmacctEnabled
      boolean

      Enable logging of user’s activity via VPN in JSON format.

      All connections within tun interfaces will be collected via libpcap and logged as {"event_type": "purge", "ip_src": "172.25.175.10", "ip_dst": "10.222.0.10", "port_src": 32172, "port_dst": 53, "ip_proto": "udp", "packets": 1, "bytes": 53}

      Default: false

    • settings.pushDefaultGatewayToClient
      boolean

      Routing all client traffic through the VPN. A default route will be added to clients.

      Default: false

    • settings.pushToClientDNS
      string

      The IP address of the DNS server to send to clients upon connection.

      By default, the IP address of the kube-system/kube-dns service is used.

    • settings.pushToClientRoutes
      array of strings

      A list of routes to send to clients upon their connection.

      By default, this list is generated automatically using the local cluster network, service subnet, and Pod subnet.

      Example:

      pushToClientRoutes:
      - 172.25.176.0/24
      - 172.25.178.0/255.255.255.0
      
    • settings.pushToClientSearchDomains
      array of strings

      A list of search domains to send to clients upon connection.

      The default value is a value from the global.discovery.clusterDomain variable.

    • settings.tcpEnabled
      boolean

      Default: true

    • settings.tolerations
      array of objects

      The same as in the Pods’ spec.tolerations parameter in Kubernetes.

      If the parameter is omitted or false, it will be determined automatically.

      • settings.tolerations.effect
        string
      • settings.tolerations.key
        string
      • settings.tolerations.operator
        string
      • settings.tolerations.tolerationSeconds
        integer
      • settings.tolerations.value
        string
    • settings.tunnelNetwork
      string

      Tunnel network for OpenVPN server.

      Default: "172.25.175.0/24"

      Examples:

      tunnelNetwork: 172.25.175.0/24
      
      tunnelNetwork: 172.25.178.0/255.255.255.0
      
    • settings.udpEnabled
      boolean

      Default: false

Authentication

user-authn module provides authentication by default. You can also configure authentication using the externalAuthentication parameter. If these options are disabled, the module will use basic auth with the auto-generated password.

Use kubectl to see password:

kubectl -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module values openvpn -o json | jq '.openvpn.internal.auth.password'

Delete the Secret to re-generate password:

kubectl -n d8-openvpn delete secret/basic-auth

Note! The auth.password parameter is deprecated.