openvpn test in kube-ovn kind with ovn-eip

bobz965
121 阅读6分钟

test topological grph

env

image.png

image.png

ovn eip, ovn fip

image.png

1. ssl not connect to server

client

image.png

server


▶ docker exec -it kube-ovn-worker2 bash
root@kube-ovn-worker2:/#
root@kube-ovn-worker2:/#
root@kube-ovn-worker2:/#
root@kube-ovn-worker2:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: kube-ipvs0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default
    link/ether ee:9f:96:13:31:b4 brd ff:ff:ff:ff:ff:ff
    inet 10.96.0.1/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.96.0.10/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.96.47.7/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.101.6.51/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.100.230.39/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.105.151.245/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.107.86.187/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.102.110.0/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.107.238.188/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.107.4.255/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.101.41.84/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.100.193.227/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.106.6.49/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.110.121.157/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
3: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether b6:39:4d:f3:02:e5 brd ff:ff:ff:ff:ff:ff
4: br-int: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
    link/ether 9a:a3:0a:a4:05:8f brd ff:ff:ff:ff:ff:ff
5: vxlan_sys_4789: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN group default qlen 1000
    link/ether ce:b4:e0:92:5e:66 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ccb4:e0ff:fe92:5e66/64 scope link
       valid_lft forever preferred_lft forever
6: mirror0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 0a:8b:e0:5c:e2:3b brd ff:ff:ff:ff:ff:ff
    inet6 fe80::88b:e0ff:fe5c:e23b/64 scope link
       valid_lft forever preferred_lft forever
7: ovn0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether e6:b4:54:39:0f:58 brd ff:ff:ff:ff:ff:ff
    inet 100.64.0.4/16 brd 100.64.255.255 scope global ovn0
       valid_lft forever preferred_lft forever
    inet6 fe80::e4b4:54ff:fe39:f58/64 scope link
       valid_lft forever preferred_lft forever
11: 05a014bf61ab_h@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master ovs-system state UP group default qlen 1000
    link/ether 26:e8:f5:d4:54:25 brd ff:ff:ff:ff:ff:ff link-netns cni-77e2f1ff-a7b6-0bd4-d9f6-a4edc65e218f
    inet6 fe80::24e8:f5ff:fed4:5425/64 scope link
       valid_lft forever preferred_lft forever
13: 47e8c49ca845_h@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master ovs-system state UP group default qlen 1000
    link/ether ee:e5:1d:ae:a7:55 brd ff:ff:ff:ff:ff:ff link-netns cni-6caec82b-436b-f7f8-3e65-4ce588844946
    inet6 fe80::ece5:1dff:feae:a755/64 scope link
       valid_lft forever preferred_lft forever
15: c51e0f53ff54_h@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master ovs-system state UP group default qlen 1000
    link/ether 12:4f:10:af:12:d3 brd ff:ff:ff:ff:ff:ff link-netns cni-70093af9-52cc-89c5-2e12-d0fbf3f91459
    inet6 fe80::104f:10ff:feaf:12d3/64 scope link
       valid_lft forever preferred_lft forever
17: 08e88b9cb592_h@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master ovs-system state UP group default qlen 1000
    link/ether 8a:56:e7:0f:3b:85 brd ff:ff:ff:ff:ff:ff link-netns cni-eb7e382b-a68f-4430-79aa-106cea3d7a0e
    inet6 fe80::8856:e7ff:fe0f:3b85/64 scope link
       valid_lft forever preferred_lft forever
18: br-external: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 02:42:ac:13:00:04 brd ff:ff:ff:ff:ff:ff
    inet 172.19.0.4/16 brd 172.19.255.255 scope global br-external
       valid_lft forever preferred_lft forever
    inet6 fc00:adb1:b29b:608d::4/64 scope global nodad
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe13:4/64 scope link
       valid_lft forever preferred_lft forever
21: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1351 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none
    inet 10.240.0.1 peer 10.240.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::146f:7fd9:d6c9:b672/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
102: eth0@if103: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fc00:f853:ccd:e793::2/64 scope global nodad
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe12:2/64 scope link
       valid_lft forever preferred_lft forever
112: eth1@if113: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master ovs-system state UP group default
    link/ether 02:42:ac:13:00:04 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::42:acff:fe13:4/64 scope link
       valid_lft forever preferred_lft forever
118: eth2@if119: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:15:00:04 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.21.0.4/16 brd 172.21.255.255 scope global eth2
       valid_lft forever preferred_lft forever
    inet6 fc00:5645:6976:1737::4/64 scope global nodad
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe15:4/64 scope link
       valid_lft forever preferred_lft forever


root@kube-ovn-worker2:/# ip route
default via 172.18.0.1 dev eth0
10.16.0.0/16 via 100.64.0.1 dev ovn0 proto static src 172.18.0.2
10.240.0.0/16 via 10.240.0.2 dev tun0
10.240.0.2 dev tun0 proto kernel scope link src 10.240.0.1
100.64.0.0/16 dev ovn0 proto kernel scope link src 100.64.0.4
172.18.0.0/16 dev eth0 proto kernel scope link src 172.18.0.2
172.19.0.0/16 dev br-external proto kernel scope link src 172.19.0.4
172.21.0.0/16 dev eth2 proto kernel scope link src 172.21.0.4
root@kube-ovn-worker2:/#

server br-external ip 172.19.0.4

client pod ovn fip 172.19.0.12, connect to 172.19.0.4

2. ssl connect server

cat /tmp/ovpncli1.ovpn
client
nobind
dev tun
link-mtu 1400
cipher AES-256-GCM
auth SHA1
remote 172.19.0.4 1194 udp
redirect-gateway def1
<key>
-----BEGIN RSA PRIVATE KEY-----

......

connect openvpn --config /tmp/ovpncli1.ovpn

image.png

client openvpn tun and routes

image.png

server routes

image.png

avatar
文章
阅读
粉丝