default via 172.31.0.1 dev eth0 proto dhcp src 172.31.10.197 metric 100
Edit ufw config:
nano /etc/ufw/before.rules
Add the block START OPENVPN RULES and END OPENVPN RULES:
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to wlp11s0 (change to the interface you discovered!)
-A POSTROUTING -s 10.22.0.0/16 -o eth0 -j MASQUERADE
-A POSTROUTING -s 3.4.3.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
# Don't delete these required lines, otherwise there will be errors
*filter
Edit ufw default config:
nano /etc/default/ufw
Allow forward:
DEFAULT_FORWARD_POLICY="ACCEPT"
Allow openvpn and SSH:
ufw allow 1194/udp
ufw allow OpenSSH
Install Openvpn
Run:
apt update
apt install openvpn
Download EasyRSA:
wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
tar xvf EasyRSA-3.0.4.tgz
Copy and edit vars:
cd ~/EasyRSA-3.0.4/
cp vars.example vars
nano vars
Comment out certificates (they are provided in the .ovpn file):
#ca ca.crt
#cert client.crt
#key client.key
Double check cipher and add auth:
cipher AES-256-CBC
auth SHA256
Add these lines in the end of the file. The last ones are commented out (only need to enable them for Linux clients that ship with an /etc/openvpn/update-resolv-conf file):
key-direction 1
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
Make sure the option client-to-client is disabled:
;client-to-client
Add the following line in the end of the file to route all traffic to the VPN server:
push "route 10.8.0.0 255.255.0.0"
Configure iptables:
# Allow all traffic from 10.22.0.100 (K8s master)
iptables -A FORWARD -s 10.22.0.100 -j ACCEPT
# Allow all traffic to 10.22.0.100 (K8s master)
iptables -A FORWARD -d 10.22.0.100 -j ACCEPT
# Allow all traffic between two nodes
iptables -A FORWARD -s 10.22.0.101 -d 10.22.0.102 -j ACCEPT
iptables -A FORWARD -s 10.22.0.102 -d 10.22.0.101 -j ACCEPT
# Drop everything else
iptables -A FORWARD -j DROP