030075762f
|
||
|---|---|---|
| .. | ||
| README.md | ||
| daemon-pritunl.conf | ||
README.md
Pritunl
Pritunl is an open source VPN server with a web UI. It manages many openvpn instances underneath its python daemon and Go frontend. The basic version supports multiple servers/users with PKI + TOTP multi-factor auth. The professional/enterprise versions offer site-to-site VPNs as well as multiple SSO options for user auth.
WIT on Pritunl
WIT is using as our VPN server as it is both OSS and user friendly; something we can offer to customers. The VPN is being used to access the overlay network of customer clouds, while control plane access will remain via a bastion host for now.
Pritunl on WIT Cloud
Pritunl only has one external dependency: it uses mongodb for storing organization/server/user data. Connect to the existing mongo daemon and create a new database and user for Pritunl. Store the password as a secret in the cloud-ui.
Note that the WIT Cloud ingress layer currently only supports TCP based VPN servers.
Configuring the Daemon
First setup the daemon according to daemon-pritunl.conf.
Once the deployment is up and running edit it directly to add the container securityContext.
kubectl -n <namespace> edit deploy <deploy-name>
Add the following block below spec.template.spec.container.securityContext:
securityContext:
capabilities:
add:
- NET_ADMIN
TODO: ping @tim once WIT Cloud supports configuring container securityContext.
Configuring Pritunl
Follow the Pritunl Setup instructions with the following notes:
- Use a TCP based VPN server. Make sure to configure both the HAProxy on
robertoas well as configuringwit-proxyviaetcd - Once the server is created make sure to remove the default route and add the appropriate routes for the k8s pod and services subnets.