Skip to content

Commit

Permalink
dev-docs: set an MTU on the VPN route (#3239)
Browse files Browse the repository at this point in the history
  • Loading branch information
burgerdev authored Jul 10, 2024
1 parent 2cf3159 commit a6b0885
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 2 deletions.
2 changes: 2 additions & 0 deletions dev-docs/howto/vpn/helm/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -39,4 +39,6 @@ app.kubernetes.io/instance: {{ .Release.Name }}
value: {{ .Values.serviceCIDR | quote }}
- name: VPN_FRONTEND_POD
value: {{ include "..fullname" . }}-frontend-0
- name: VPN_MTU
value: {{ .Values.mtu | quote }}
{{- end }}
6 changes: 5 additions & 1 deletion dev-docs/howto/vpn/helm/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,15 @@ serviceCIDR: "10.96.0.0/12"
# on-prem IP ranges to expose to Constellation. Must contain at least one CIDR.
peerCIDRs: []

# MTU to set on the VPN route. Leave empty if path MTU discovery is supported end-to-end.
# See also https://docs.strongswan.org/docs/5.9/howtos/forwarding.html#_mtumss_issues.
mtu: 1300

# IPSec configuration
ipsec:
# pre-shared key used for authentication
psk: ""
# Address of the peer's gateway router.
peer: ""

image: "ghcr.io/edgelesssys/constellation/vpn@sha256:34e28ced172d04dfdadaadbefb1a53b5857cb24fb24e275fbbc537f3639a789e"
image: "ghcr.io/edgelesssys/constellation/vpn@sha256:88b6a0265052cb0a68d20d9b20e0d42ef15e7a80e5f71201ecf32e004de2356e"
9 changes: 8 additions & 1 deletion nix/container/vpn/sidecar.sh
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,17 @@ reconcile_sip_verification() {
fi
}

optional_mtu() {
if [ -n "${VPN_MTU}" ]; then
printf "mtu %s" "${VPN_MTU}"
fi
}

# Set up the route from the node network namespace to the VPN pod.
reconcile_route() {
for cidr in ${VPN_PEER_CIDRS}; do
nsenter -t 1 -n ip route replace "${cidr}" via "$(myip)"
# shellcheck disable=SC2046 # Word splitting is intentional here.
nsenter -t 1 -n ip route replace "${cidr}" via "$(myip)" $(optional_mtu)
done
}

Expand Down

0 comments on commit a6b0885

Please sign in to comment.