I am trying to setup tun2proxy as a sidecar VPN for my Kubernetes pod to reroute all traffic through a SOCKS5 ISP.
I use the following Helm-based .yaml deployement:
{{- range .Values.secrets }} {{- $n := .name | toString | lower | replace "_" "-" }} --- apiVersion: apps/v1 kind: Deployment metadata: name: containername-{{ $n }} labels: app: containername containername/name: {{ $n | quote }} spec: replicas: 1 selector: matchLabels: app: containername containername/name: {{ $n | quote }} template: metadata: labels: app: containername containername/name: {{ $n | quote }} spec: shareProcessNamespace: true containers: - name: vpn image: ghcr.io/tun2proxy/tun2proxy-ubuntu:latest container_name: vpn envFrom: - secretRef: name: containername-{{ $n }}-secret securityContext: privileged: true capabilities: add: ["NET_ADMIN"] volumeMounts: - name: dev-net-tun mountPath: /dev/net/tun args: - --proxy - socks5://$(LOGIN):$(PASSWORD)@$(PROXY_SERVER):$(PROXY_PORT) - --dns - direct - --dns-addr - 8.8.8.8 - name: netdebug image: nicolaka/netshoot:latest command: - /bin/bash - -c - | echo "=== Network Debug Container Started ===" echo "Available tools: curl, wget, dig, nslookup, traceroute, tcpdump, netstat, ss, ip" echo "Run 'kubectl exec -it <pod-name> -c netdebug -- bash' to debug" sleep infinity securityContext: capabilities: add: ["NET_ADMIN", "NET_RAW"] volumes: - name: shared emptyDir: {} - name: dev-net-tun hostPath: path: /dev/net/tun type: CharDevice {{- end }} (container_name and network_mode, unfortunately, do not have any effect)
In the network debug container, I've tried some commands:
comkub-1-8496756c47-w6nll:~# cat /etc/resolv.conf\nnameserver 8.8.8.8" > /etc/resolv.conf nameserver 1.1.1.1 nameserver 8.8.8.8 containername-1-8496756c47-w6nll:~# ping google.com ping: google.com: Try again containername-1-8496756c47-w6nll:~# dig google.com ;; communications error to 1.1.1.1#53: timed out ;; communications error to 1.1.1.1#53: timed out ;; communications error to 1.1.1.1#53: timed out ;; communications error to 8.8.8.8#53: timed out ; <<>> DiG 9.20.10 <<>> google.com ;; global options: +cmd ;; no servers could be reached containername-1-8496756c47-w6nll:~# ip a ip r cat /proc/net/route 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0@if115: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default qlen 1000 link/ether b6:91:c8:ab:4d:1f brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 10.244.98.247/32 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::b491:c8ff:feab:4d1f/64 scope link valid_lft forever preferred_lft forever 3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 link/none inet 10.0.0.33 peer 10.0.0.1/24 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80::254:ffde:4900:666a/64 scope link stable-privacy valid_lft forever preferred_lft forever 0.0.0.0/1 dev tun0 proto static default via 169.254.1.1 dev eth0 10.0.0.0/24 dev tun0 proto kernel scope link src 10.0.0.33 128.0.0.0/1 dev tun0 proto static 130.180.248.200 via 169.254.1.1 dev eth0 169.254.1.1 dev eth0 scope link Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT tun0 00000000 00000000 0001 0 0 0 00000080 0 0 0 eth0 00000000 0101FEA9 0003 0 0 0 00000000 0 0 0 tun0 0000000A 00000000 0001 0 0 0 00FFFFFF 0 0 0 tun0 00000080 00000000 0001 0 0 0 00000080 0 0 0 eth0 C8F8B482 0101FEA9 0007 0 0 0 FFFFFFFF 0 0 0 eth0 0101FEA9 00000000 0005 0 0 0 FFFFFFFF 0 0 0 containername-1-8496756c47-w6nll:~# cat /etc/resolv.conf dig client.earnapp.com # запрос через системный DNS dig @10.96.0.10 client.earnapp.com nslookup google.com host client.earnapp.com nameserver 1.1.1.1 nameserver 8.8.8.8 ;; communications error to 1.1.1.1#53: timed out ^C^C^C ;; communications error to 1.1.1.1#53: timed out ^Ccontainername-1-8496756c47-w6nll:~ping 10.96.0.10 ping 8.8.8.8 ping google.com curl -v https://google.com nc -vz 1.1.1.1 53 PING 10.96.0.10 (10.96.0.10) 56(84) bytes of data. ^C --- 10.96.0.10 ping statistics --- 7 packets transmitted, 0 received, 100% packet loss, time 6137ms PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. ^C --- 8.8.8.8 ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4092ms ^C ^C Connection to 1.1.1.1 53 port [tcp/domain] succeeded! containername-1-8496756c47-w6nll:~# traceroute 8.8.8.8 traceroute client.earnapp.com traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 46 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5^C ^C containername-1-8496756c47-w6nll:~# ss -tuln ss -s netstat -rn Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Total: 72 TCP: 262 (estab 63, closed 199, orphaned 0, timewait 0) Transport Total IP IPv6 RAW 0 0 0 UDP 4 4 0 TCP 63 63 0 INET 67 67 0 FRAG 0 0 0 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 0.0.0.0 128.0.0.0 U 0 0 0 tun0 0.0.0.0 169.254.1.1 0.0.0.0 UG 0 0 0 eth0 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 128.0.0.0 0.0.0.0 128.0.0.0 U 0 0 0 tun0 130.180.248.200 169.254.1.1 255.255.255.255 UGH 0 0 0 eth0 169.254.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 containername-1-8496756c47-w6nll:~# curl ifconfig.me ^C containername-1-8496756c47-w6nll:~# So, it does not work as expected. The goal is to make the tunnel work for any app, so curl ifconfig.me successfully returns my IP address without designating this proxy directly.
What else have I tried (and that did not work)?
- Changing
--dnsargument toover-tcpand tovirtual(virtualchanges the situation a bit, but stil does not work as I need) - Using redsocks
- Looking for other sidecar VPN solutions
Some additional info.
- Proxy is IPv4
- Proxy also supports HTTPS/HTTP protocols, but it is not what I want (I suppose)
Why it is not working and how to fix this?
