k8s yaml for the vpn server

[JuneZhao]

Came across the image here and wonder whether you have the example yaml file to deploy it to k8s?

I noticed it needs two port 443 and 443/udp i find it impossible to expose the service on k8s?

Any help?

[TommyLau]

Port 443 TCP/UDP is needed to be compatible with Cisco AnyConnect.

If you are not using AnyConnect as the client you can change the port to any number you liked.

And you might need a root privilege to use 443 port.

[JuneZhao]

@TommyLau Really appreciate your explanation so I would like to know below things:

-p 443:443 -p 443:443/udp

So can I change it to 443:443/tcp 8443:443/udp so that I can deploy to k8s since two same ports looks like impossible to be mapped in my k8s cluster.

By the way the certificate is integrated to the image right? Every time when I try to connect the credentials is the only thing needed right? :)

[JuneZhao]

@TommyLau I have successfully deployed to my k8s cluster, just would like to know where can I find the certificate so that I dont need to input credentials everytime?

Under certs I see below /etc/ocserv/certs # ls ca-key.pem ca.pem ca.tmpl server-cert.pem server-key.pem server.tmpl

Wher is p12?

[TommyLau]

You should reference the documentation from Docker here: https://docs.docker.com/engine/reference/commandline/run/

The default setting ocserv will run on port 443 only, and the first number is the port to be exposed in the container, you should change the latter one but not the first one if you really like to provide the services in different ports other than 443.

for eg: -p 443:8443 -p 443:9443/udp

That's to say, it will listen on your host's 8443 TCP and 9443 UDP.

The certificate was no integrated, it will be generated the first time you create and run the container, you can check out the scripts, and only username / password is needed for the default setting. Or you can change to certificate authentication as you wish by modifying the config files.

[TommyLau]

You can generate your own certificate without using Docker nor ocserv.

1. Download an ocserv copy from the official website
2. Generate your own certificates
3. Modify config files as your needs
4. Upload config & certificate files to your host
5. Docker run with the volume mount options

for eg:

docker run --name test -v /some/path:/etc/ocserv tommylau/ocserv

Make sure you have ocserv.conf in directory /some/path, change accordingly.

[JuneZhao]

@TommyLau It is something different than I thought and here is my yaml file I thought the latter part is the container port....

apiVersion: v1 kind: Service metadata: name: ocservsrv labels: app: ocserv spec: type: NodePort ports:

• port: 443 selector: app: ocserv type: LoadBalancer

  apiVersion: extensions/v1beta1 kind: Deployment metadata: name: my-ocserv spec: replicas: 1 template: metadata: labels: app: ocserv spec: containers:

  • name: ocserv image: tommylau/ocserv securityContext: privileged: true ports:
    • containerPort: 443 name: ocservtcp443
    • containerPort: 443 name: ocservudp443 protocol: UDP

Thanks for the certification part I will try that :)