dev-docs: add on-prem terraform to vpn setup (#2619)

* vpn: add fake-on-prem infra * dev-docs: move vpn helm
2025-08-01 11:36:10 -04:00 · 2023-11-23 16:13:37 +01:00 · 2023-11-23 16:13:37 +01:00 · 0564e4ebb4
commit 0564e4ebb4
parent c922864f30
20 changed files with 407 additions and 0 deletions
--- a/dev-docs/howto/vpn/helm/files/strongswan/charon-logging.conf
+++ b/dev-docs/howto/vpn/helm/files/strongswan/charon-logging.conf
@ -0,0 +1,11 @@
+charon {
+    filelog {
+        stderr {
+            time_format = %b %e %T
+            ike_name = yes
+            default = 1
+            ike = 2
+            flush_line = yes
+        }
+    }
+}
--- a/dev-docs/howto/vpn/helm/files/strongswan/entrypoint.sh
+++ b/dev-docs/howto/vpn/helm/files/strongswan/entrypoint.sh
@ -0,0 +1,13 @@
+#!/bin/sh
+
+# The charon binary is not included in the PATH generated by nixery.dev, find it manually.
+charon="$(dirname "$(readlink -f "$(command -v charon-systemd)")")/../libexec/ipsec/charon"
+
+"${charon}" &
+
+while ! swanctl --stats > /dev/null 2> /dev/null; do
+  sleep 1
+done
+swanctl --load-all
+
+wait
--- a/dev-docs/howto/vpn/helm/files/tproxy-setup.sh
+++ b/dev-docs/howto/vpn/helm/files/tproxy-setup.sh
@ -0,0 +1,38 @@
+#!/bin/sh
+
+set -eu
+
+### Pod IPs ###
+
+# Pod IPs are just NATed.
+
+iptables -t nat -N VPN_POST || iptables -t nat -F VPN_POST
+
+for cidr in ${VPN_PEER_CIDRS}; do
+  iptables -t nat -A VPN_POST -s "${cidr}" -d "${VPN_POD_CIDR}" -j MASQUERADE
+done
+
+iptables -t nat -C POSTROUTING -j VPN_POST || iptables -t nat -A POSTROUTING -j VPN_POST
+
+### Service IPs ###
+
+# Service IPs need to be connected to locally to trigger the cgroup connect hook, thus we send them to the transparent proxy.
+
+# Packets with mark 1 are for tproxy and need to be delivered locally.
+# For more information see: https://www.kernel.org/doc/Documentation/networking/tproxy.txt
+pref=42
+table=42
+mark=0x1/0x1
+ip rule add pref "${pref}" fwmark "${mark}" lookup "${table}"
+ip route replace local 0.0.0.0/0 dev lo table "${table}"
+
+iptables -t mangle -N VPN_PRE || iptables -t mangle -F VPN_PRE
+
+for cidr in ${VPN_PEER_CIDRS}; do
+  for proto in tcp udp; do
+    iptables -t mangle -A VPN_PRE -p "${proto}" -s "${cidr}" -d "${VPN_SERVICE_CIDR}" \
+      -j TPROXY --tproxy-mark "${mark}" --on-port 61001
+  done
+done
+
+iptables -t mangle -C PREROUTING -j VPN_PRE || iptables -t mangle -A PREROUTING -j VPN_PRE
--- a/dev-docs/howto/vpn/helm/files/wireguard-setup.sh
+++ b/dev-docs/howto/vpn/helm/files/wireguard-setup.sh
@ -0,0 +1,13 @@
+#!/bin/sh
+
+set -eu
+
+dev=vpn_wg0
+
+ip link add dev "${dev}" type wireguard
+wg setconf "${dev}" /etc/wireguard/wg.conf
+ip link set dev "${dev}" up
+
+for cidr in ${VPN_PEER_CIDRS}; do
+  ip route replace "${cidr}" dev "${dev}"
+done