vpn: fix incoming connections routing

2026-01-10 17:39:43 +00:00 · 2022-03-19 23:28:05 +07:00 · 2022-03-19 23:28:05 +07:00 · 06695bd03a
commit 06695bd03a
parent 970f7be74b
4 changed files with 34 additions and 0 deletions
--- a/apps/system/vpn/daemonset.yaml
+++ b/apps/system/vpn/daemonset.yaml
@ -26,6 +26,10 @@ spec:
        - name: vpn-conf
          configMap:
            name: vpn-conf
+        - name: vpn-scripts
+          configMap:
+            name: vpn-scripts
+            defaultMode: 0555
        - name: vpn-creds
          secret:
            secretName: vpn-creds
@ -41,6 +45,12 @@ spec:
            - /vpn/vpn.conf
            - --auth-user-pass
            - /vpn/creds
+            - --script-security
+            - "2"
+            - --up
+            - /vpn-scripts/up.sh
+            - --down
+            - /vpn-scripts/down.sh
          securityContext:
            privileged: true
            capabilities:
@ -55,5 +65,8 @@ spec:
              mountPath: /vpn/creds
              subPath: creds
              readOnly: true
+            - name: vpn-scripts
+              mountPath: /vpn-scripts
+              readOnly: true
            - mountPath: /dev/net/tun
              name: dev-net-tun
--- a/apps/system/vpn/kustomization.yaml
+++ b/apps/system/vpn/kustomization.yaml
@ -7,3 +7,7 @@ configMapGenerator:
  - name: vpn-conf
    files:
      - vpn.conf=Fastestvpn_ovpn/UDP_Files/Sweden2-UDP.ovpn
+  - name: vpn-scripts
+    files:
+      - up.sh=scripts/up.sh
+      - down.sh=scripts/down.sh
--- a/apps/system/vpn/scripts/down.sh
+++ b/apps/system/vpn/scripts/down.sh
@ -0,0 +1,9 @@
+#!/bin/sh
+# see https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
+
+sudo ip rule delete from 192.168.1.8/32 table 42
+sudo ip rule delete from 10.244.0.0/16 table 42
+sudo ip rule delete from 192.168.1.8/32 to 10.244.0.0/16 table main
+sudo ip rule delete from 10.244.0.0/16 to 10.244.0.0/16 table main
+sudo ip route flush table 42
+
--- a/apps/system/vpn/scripts/up.sh
+++ b/apps/system/vpn/scripts/up.sh
@ -0,0 +1,8 @@
+#!/bin/sh
+# see https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux
+
+ip route add table 42 default via 192.168.1.1
+ip rule add from 192.168.1.8/32 table 42
+ip rule add from 10.244.0.0/16 table 42
+ip rule add from 192.168.1.8/32 to 10.244.0.0/16 table main
+ip rule add from 10.244.0.0/16 to 10.244.0.0/16 table main