From 12af36e84e88a7fe70f10121f8a8fd650514bbcb Mon Sep 17 00:00:00 2001 From: Steven Shi Date: Mon, 28 Sep 2020 14:19:11 -0700 Subject: [PATCH 1/4] support DNS for VPN client --- .../kubernetes/files/wireguard-wg0-conf.tpl | 4 +-- templates/scripts/add-vpn-user.sh | 33 +++++++++++++++---- 2 files changed, 29 insertions(+), 8 deletions(-) diff --git a/templates/kubernetes/terraform/modules/kubernetes/files/wireguard-wg0-conf.tpl b/templates/kubernetes/terraform/modules/kubernetes/files/wireguard-wg0-conf.tpl index a1875f5..93cf29b 100644 --- a/templates/kubernetes/terraform/modules/kubernetes/files/wireguard-wg0-conf.tpl +++ b/templates/kubernetes/terraform/modules/kubernetes/files/wireguard-wg0-conf.tpl @@ -2,10 +2,10 @@ Address = ${tpl_server_address} ListenPort = 51820 PostUp = wg set wg0 private-key /etc/wireguard/privatekey -PostUp = iptables -A FORWARD -s ${tpl_server_address} -d ${tpl_destination_subnets} -j ACCEPT +PostUp = iptables -A FORWARD -i wg0 -s ${tpl_server_address} -j ACCEPT PostUp = iptables -A FORWARD -s ${tpl_server_address} -j DROP PostUp = iptables -t nat -A POSTROUTING -s ${tpl_server_address} -o eth0 -j MASQUERADE -PostDown = iptables -D FORWARD -s ${tpl_server_address} -d ${tpl_destination_subnets} -j ACCEPT +PostDown = iptables -D FORWARD -i wg0 -s ${tpl_server_address} -j ACCEPT PostDown = iptables -D FORWARD -s ${tpl_server_address} -j DROP PostDown = iptables -t nat -D POSTROUTING -s ${tpl_server_address} -o eth0 -j MASQUERADE diff --git a/templates/scripts/add-vpn-user.sh b/templates/scripts/add-vpn-user.sh index c98a507..6ea95d9 100755 --- a/templates/scripts/add-vpn-user.sh +++ b/templates/scripts/add-vpn-user.sh @@ -4,9 +4,11 @@ CLUSTER=$(kubectl config current-context | cut -d"/" -f2) # this is a local script for a system user to generate VPN configuration for cluster ${CLUSTER} +NAMESPACE=<% .Name %> +REGION=<% index .Params `region` %> + # get pod id for execution -POD=$(kubectl -n vpn get pods | grep wireguard | cut -d' ' -f1) -EXTERNAL_DNS=$(kubectl -nvpn get svc wireguard -o jsonpath='{.metadata.annotations.external-dns\.alpha\.kubernetes\.io/hostname}') +POD=$(kubectl -n vpn get pods --selector=app=wireguard -o jsonpath='{.items[0].metadata.name}') if [ -z "$POD" ]; then echo "Warning: No VPN service running yet" @@ -15,8 +17,7 @@ fi EXEC="kubectl -n vpn exec -it $POD -- /bin/bash -c" # get name -echo -n "Enter your name: " -read name +echo -n "Enter your name: " && read name # collect keys server_public_key=$($EXEC "cat /etc/wireguard/privatekey | wg pubkey") @@ -31,6 +32,21 @@ while [[ "$existing_ips" =~ "$next_ip" ]]; do next_ip=${next_ip%.*}.$((${next_ip##*.}+1)) done +# get DNS server setting +dns_server=$($EXEC "cat /etc/resolv.conf | grep nameserver | tail -1 | cut -d\" \" -f2 | tr -d \"\r\n\f\"") + +# get VPC CIDR for allowed IP subnet +VPCNAME=${CLUSTER%-$REGION}-vpc +vpc_cidr=$(aws ec2 describe-vpcs --filters Name=tag:Name,Values=${VPCNAME} | jq -r '.Vpcs[].CidrBlock') +[[ -z "$vpc_cidr" ]] && vpc_cidr = "10.10.0.0/16" + +# get DB server +K8S_DBSERVER=database.${NAMESPACE}.svc.cluster.local +AWS_DBSERVER=$(kubectl -n piggycloud2-me get svc -ojsonpath='{.items[0].spec.externalName}') + +# get Endpoint DNS +EXTERNAL_DNS=$(kubectl -nvpn get svc wireguard -o jsonpath='{.metadata.annotations.external-dns\.alpha\.kubernetes\.io/hostname}') + # generate config file CONFIG_DIR=~/.wireguard mkdir -p $CONFIG_DIR @@ -50,7 +66,11 @@ echo echo "After this is done you should be able to open the wireguard client and activate the tunnel." echo "You can download the client at https://www.wireguard.com/install/" echo -echo "When it is running you should be able to access internal resources, e.g. mysql -h 10.10.10.123" +echo "When it is running you should be able to access internal resources, eg. database server:" +echo " with Kubernetes cluster DNS, run:" +echo " mysql -u -p -h ${K8S_DBSERVER}" +echo " with AWS RDS, run:" +echo " mysql -u -p -h ${AWS_DBSERVER}" # generate client conf cat <<-EOF > ${CONFIG_FILE} @@ -65,11 +85,12 @@ cat <<-EOF > ${CONFIG_FILE} PrivateKey = $client_private_key ListenPort = 34567 Address = $next_ip/32 +DNS = $dns_server [Peer] # VPN server side PublicKey = $server_public_key -AllowedIPs = 10.10.0.0/16 +AllowedIPs = $vpc_cidr, $dns_server/32 Endpoint = $EXTERNAL_DNS:51820 EOF From 4e364a60cbe46e5f22f6dfcdb2e98e952817698b Mon Sep 17 00:00:00 2001 From: Steven Shi Date: Mon, 28 Sep 2020 14:23:50 -0700 Subject: [PATCH 2/4] fix hardcode --- templates/scripts/add-vpn-user.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/scripts/add-vpn-user.sh b/templates/scripts/add-vpn-user.sh index 6ea95d9..143468e 100755 --- a/templates/scripts/add-vpn-user.sh +++ b/templates/scripts/add-vpn-user.sh @@ -42,7 +42,7 @@ vpc_cidr=$(aws ec2 describe-vpcs --filters Name=tag:Name,Values=${VPCNAME} | jq # get DB server K8S_DBSERVER=database.${NAMESPACE}.svc.cluster.local -AWS_DBSERVER=$(kubectl -n piggycloud2-me get svc -ojsonpath='{.items[0].spec.externalName}') +AWS_DBSERVER=$(kubectl -n ${NAMESPACE} get svc -ojsonpath='{.items[0].spec.externalName}') # get Endpoint DNS EXTERNAL_DNS=$(kubectl -nvpn get svc wireguard -o jsonpath='{.metadata.annotations.external-dns\.alpha\.kubernetes\.io/hostname}') From 2b65ba99aa35aa3a13e7aec85544243fb55b393e Mon Sep 17 00:00:00 2001 From: Steven Shi Date: Mon, 28 Sep 2020 17:26:14 -0700 Subject: [PATCH 3/4] enhancement on display etc. --- templates/scripts/add-vpn-user.sh | 38 +++++++++++++++---------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/templates/scripts/add-vpn-user.sh b/templates/scripts/add-vpn-user.sh index 143468e..7d7f298 100755 --- a/templates/scripts/add-vpn-user.sh +++ b/templates/scripts/add-vpn-user.sh @@ -14,18 +14,24 @@ if [ -z "$POD" ]; then echo "Warning: No VPN service running yet" exit 1 fi -EXEC="kubectl -n vpn exec -it $POD -- /bin/bash -c" + +function k8s_exec() { + kubectl -n vpn exec -it $POD -- /bin/bash -c "$1" +} # get name +echo "Current cluster is '${CLUSTER}'" echo -n "Enter your name: " && read name +echo +echo "Generating your client configuration file..." # collect keys -server_public_key=$($EXEC "cat /etc/wireguard/privatekey | wg pubkey") -client_private_key=$($EXEC "wg genkey") -client_public_key=$($EXEC "echo -n $client_private_key | wg pubkey | tr -d \"\r\n\f\"") +server_public_key=$(k8s_exec "cat /etc/wireguard/privatekey | wg pubkey") +client_private_key=$(k8s_exec "wg genkey") +client_public_key=$(k8s_exec "echo -n $client_private_key | wg pubkey | tr -d \"\r\n\f\"") # get next available IP -existing_ips=$($EXEC "cat /etc/wireguard/wg0.conf | grep AllowedIPs| cut -d\" \" -f3 | cut -d\"/\" -f1 | sort") +existing_ips=$(k8s_exec "cat /etc/wireguard/wg0.conf | grep AllowedIPs| cut -d\" \" -f3 | cut -d\"/\" -f1 | sort") last_ip=$(echo "$existing_ips" | tr -cd "[:alnum:].\n" | tail -1) next_ip=$last_ip while [[ "$existing_ips" =~ "$next_ip" ]]; do @@ -33,17 +39,13 @@ while [[ "$existing_ips" =~ "$next_ip" ]]; do done # get DNS server setting -dns_server=$($EXEC "cat /etc/resolv.conf | grep nameserver | tail -1 | cut -d\" \" -f2 | tr -d \"\r\n\f\"") +dns_server=$(k8s_exec "cat /etc/resolv.conf | grep nameserver | tail -1 | cut -d\" \" -f2 | tr -d \"\r\n\f\"") # get VPC CIDR for allowed IP subnet VPCNAME=${CLUSTER%-$REGION}-vpc vpc_cidr=$(aws ec2 describe-vpcs --filters Name=tag:Name,Values=${VPCNAME} | jq -r '.Vpcs[].CidrBlock') [[ -z "$vpc_cidr" ]] && vpc_cidr = "10.10.0.0/16" -# get DB server -K8S_DBSERVER=database.${NAMESPACE}.svc.cluster.local -AWS_DBSERVER=$(kubectl -n ${NAMESPACE} get svc -ojsonpath='{.items[0].spec.externalName}') - # get Endpoint DNS EXTERNAL_DNS=$(kubectl -nvpn get svc wireguard -o jsonpath='{.metadata.annotations.external-dns\.alpha\.kubernetes\.io/hostname}') @@ -53,7 +55,8 @@ mkdir -p $CONFIG_DIR CONFIG_FILE=$CONFIG_DIR/wg-client-${CLUSTER}.conf # Output TF line -echo "Configuration generated at $CONFIG_FILE with:" +echo +echo "Configuration for user '$name' generated at $CONFIG_FILE with:" echo " - public key : $client_public_key" echo " - private key: $client_private_key" echo " - client IP : $next_ip/32" @@ -61,19 +64,16 @@ echo echo "Please modify kubernetes/terraform/environments//main.tf and append the following line to var.vpn_client_publickeys." echo "Then apply the terraform, or ask an administrator to." echo -printf ' ["%s", "%s", "%s"],' "$name" "$next_ip/32" "$client_public_key" +printf ' ["%s", "%s", "%s"]\n' "$name" "$next_ip/32" "$client_public_key" echo echo "After this is done you should be able to open the wireguard client and activate the tunnel." -echo "You can download the client at https://www.wireguard.com/install/" echo -echo "When it is running you should be able to access internal resources, eg. database server:" -echo " with Kubernetes cluster DNS, run:" -echo " mysql -u -p -h ${K8S_DBSERVER}" -echo " with AWS RDS, run:" -echo " mysql -u -p -h ${AWS_DBSERVER}" +echo "You can download the client at https://www.wireguard.com/install/. When it is running you should be able to access internal resources, eg. mysql -h , and if anything, you could mention that you can connect to things inside both the VPC and the kubernetes cluster." +echo +echo "Enjoy your VPN access journey!" + # generate client conf cat <<-EOF > ${CONFIG_FILE} - # # This is a generated VPN(wireguard) client configuration # From 7c7d2d67fc0a84b0df133086fecf46277e0f0945 Mon Sep 17 00:00:00 2001 From: Bill Monkman Date: Mon, 28 Sep 2020 18:17:54 -0700 Subject: [PATCH 4/4] Update add-vpn-user.sh --- templates/scripts/add-vpn-user.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/templates/scripts/add-vpn-user.sh b/templates/scripts/add-vpn-user.sh index 7d7f298..41d3fa8 100755 --- a/templates/scripts/add-vpn-user.sh +++ b/templates/scripts/add-vpn-user.sh @@ -64,13 +64,14 @@ echo echo "Please modify kubernetes/terraform/environments//main.tf and append the following line to var.vpn_client_publickeys." echo "Then apply the terraform, or ask an administrator to." echo -printf ' ["%s", "%s", "%s"]\n' "$name" "$next_ip/32" "$client_public_key" +printf ' ["%s", "%s", "%s"],\n' "$name" "$next_ip/32" "$client_public_key" echo -echo "After this is done you should be able to open the wireguard client and activate the tunnel." +echo "You can download the client at https://www.wireguard.com/install/" +echo "After this is done you should be able to open the wireguard client, import a tunnel file from ~/.wireguard/ and activate the tunnel." echo -echo "You can download the client at https://www.wireguard.com/install/. When it is running you should be able to access internal resources, eg. mysql -h , and if anything, you could mention that you can connect to things inside both the VPC and the kubernetes cluster." +echo "When it is running you should be able to access internal resources, eg. mysql -h " +echo "You will be able to connect to resources within both the VPC and the Kubernetes cluster." echo -echo "Enjoy your VPN access journey!" # generate client conf cat <<-EOF > ${CONFIG_FILE}