dev-docs: add on-prem terraform to vpn setup (#2619)

* vpn: add fake-on-prem infra * dev-docs: move vpn helm
2025-05-02 06:16:08 -04:00 · 2023-11-23 16:13:37 +01:00 · 2023-11-23 16:13:37 +01:00 · 0564e4ebb4
commit 0564e4ebb4
parent c922864f30
20 changed files with 407 additions and 0 deletions
--- a/dev-docs/howto/vpn/helm/files/tproxy-setup.sh
+++ b/dev-docs/howto/vpn/helm/files/tproxy-setup.sh
@ -0,0 +1,38 @@
+#!/bin/sh
+
+set -eu
+
+### Pod IPs ###
+
+# Pod IPs are just NATed.
+
+iptables -t nat -N VPN_POST || iptables -t nat -F VPN_POST
+
+for cidr in ${VPN_PEER_CIDRS}; do
+  iptables -t nat -A VPN_POST -s "${cidr}" -d "${VPN_POD_CIDR}" -j MASQUERADE
+done
+
+iptables -t nat -C POSTROUTING -j VPN_POST || iptables -t nat -A POSTROUTING -j VPN_POST
+
+### Service IPs ###
+
+# Service IPs need to be connected to locally to trigger the cgroup connect hook, thus we send them to the transparent proxy.
+
+# Packets with mark 1 are for tproxy and need to be delivered locally.
+# For more information see: https://www.kernel.org/doc/Documentation/networking/tproxy.txt
+pref=42
+table=42
+mark=0x1/0x1
+ip rule add pref "${pref}" fwmark "${mark}" lookup "${table}"
+ip route replace local 0.0.0.0/0 dev lo table "${table}"
+
+iptables -t mangle -N VPN_PRE || iptables -t mangle -F VPN_PRE
+
+for cidr in ${VPN_PEER_CIDRS}; do
+  for proto in tcp udp; do
+    iptables -t mangle -A VPN_PRE -p "${proto}" -s "${cidr}" -d "${VPN_SERVICE_CIDR}" \
+      -j TPROXY --tproxy-mark "${mark}" --on-port 61001
+  done
+done
+
+iptables -t mangle -C PREROUTING -j VPN_PRE || iptables -t mangle -A PREROUTING -j VPN_PRE