Connection Issues when not NODE_NETWORK is set

[schrodit]

What happened:

When the VPN server has no NODE_NETWORK configured it will constantly reconnect.

Configuring a dummy value temporarily fixes the issue.

server (seed):

using openvpn_network=192.168.123.0/24
2023-04-17 10:39:28 WARNING: file '/srv/secrets/vpn-server/tls.key' is group or others accessible
2023-04-17 10:39:28 OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
2023-04-17 10:39:28 library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
2023-04-17 10:39:28 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-04-17 10:39:28 TUN/TAP device tun0 opened
2023-04-17 10:39:28 /sbin/ip link set dev tun0 up mtu 1500
2023-04-17 10:39:28 /sbin/ip link set dev tun0 up
2023-04-17 10:39:28 /sbin/ip addr add dev tun0 192.168.123.1/24
2023-04-17 10:39:28 /firewall.sh on tun0 tun0 1500 1623 192.168.123.1 255.255.255.0 init
2023-04-17 10:39:28 Listening for incoming TCP connection on [AF_INET][undef]:1194
2023-04-17 10:39:28 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
2023-04-17 10:39:28 TCPv4_SERVER link remote: [AF_UNSPEC]
2023-04-17 10:39:28 Initialization Sequence Completed
2023-04-17 10:39:29 TCP connection established with [AF_INET]10.40.0.1:45364
2023-04-17 10:39:29 10.40.0.1:45364 Connection reset, restarting [0]
2023-04-17 10:39:37 TCP connection established with [AF_INET]10.40.0.1:47204

client (shoot)

[Mon Apr 17 09:43:46 UTC 2023]: using vpn-seed-server, dev tun0
[Mon Apr 17 09:43:46 UTC 2023]: openvpn --dev tun0 --remote api.fra.codesphere.internal.gardener.codesphere.com. --config openvpn.config
2023-04-17 09:43:46 OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
2023-04-17 09:43:46 library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
2023-04-17 09:43:46 TCP/UDP: Preserving recently used remote address: [AF_INET]34.77.130.229:8132
2023-04-17 09:43:46 Attempting to establish TCP connection with [AF_INET]34.77.130.229:8132 [nonblock]
2023-04-17 09:43:46 TCP connection established with [AF_INET]34.77.130.229:8132
2023-04-17 09:43:48 TCP_CLIENT link local: (not bound)
2023-04-17 09:43:48 TCP_CLIENT link remote: [AF_INET]34.77.130.229:8132
2023-04-17 09:43:48 [vpn-seed-server] Peer Connection Initiated with [AF_INET]34.77.130.229:8132
2023-04-17 09:43:48 TUN/TAP device tun0 opened
2023-04-17 09:43:48 /sbin/ip link set dev tun0 up mtu 1500
2023-04-17 09:43:48 /sbin/ip link set dev tun0 up
2023-04-17 09:43:48 /sbin/ip addr add dev tun0 192.168.123.10/24
2023-04-17 09:43:48 Initialization Sequence Completed

What you expected to happen:

Some providers in gardener like equinix expect not to have a node network configured to correctly work. So the VPN should also work without a required node network.

How to reproduce it (as minimally and precisely as possible):

Create a shoot without a node network defined in the networks config.

Environment:

• Gardener 1.62.x
• Extension Equinix
• VPN: 0.15.0 (also tested with 0.14.0 and 0.13.0)

[ScheererJ]

Hi Tim,

are you sure that you have actual connection issues without setting NODE_NETWORK? The local gardener development setup also does not set NODE_NETWORK and VPN is working fine there.

What you can see in the logs, though, is that the readiness/liveness probes happening every 10 seconds (see https://github.com/gardener/gardener/blob/5eb88cb64bc5d503cacb7d66fc026ef85ecd4189/pkg/component/vpnseedserver/vpn_seed_server.go#L341-L354). The attempt to clean the logs from the probe requests seems to not work in all environments equally well.

Could you please confirm that you face actual connections issues, i.e. do you also see the connect requests in vpn-shoot? Otherwise, I would close this issue.

Best regards, Johannes.