DEV Community

Cover image for Let's run a VPN with Kubernetes! - How to deploy the Mysterium dVPN on K3s

Let's run a VPN with Kubernetes! - How to deploy the Mysterium dVPN on K3s

Ayane Satomi
ex-Coder Technologies and master procrastinator.
・3 min read

Update: You can now deploy this using KubeSail!

We can't deny Kubernetes is a great container scheduler and orchestrator, but before then it was nigh impossible to run anything that needs privileges. Fast forward to today, we can now run a VPN inside a container (thank you WireGuard).

Since Kubernetes 1.18, securityContext is a stable feature, so the usual docker args such as --cap-add is now possible. And since that is now possible, why not run a VPN inside Kubernetes?

What we're using

For this lab, we're using the following:

  • K3s v1.18. This can be run on your Raspberry Pi or use a hosted solution like the ones from our friends at Civo.

  • The Mysterium dVPN. Mysterium dVPN comes with OpenVPN, noop, and WireGuard preinstalled for you. In addition, you can also share the VPN to your friends and set a meager fee so you can earn while it's being used.

  • A VM that allows us to use NET_ADMIN capability in the Kubernetes security context. You'll need NET_ADMIN to run iptable rules and setup tunnels.

Setting up your Cluster

First of all, let's connect to your cluster. Assuming you're running your stuff locally you can get the Kubeconfig from /var/lib/rancher. If you're using Civo or any other provider, you need to grab the Kubeconfig from the dashboard.

Alt Text

Once you have the Kubeconfig, feel free to point your kubectl to your Kubeconfig, but for the sake of simplicity, I will be using Mirantis Lens.

Configure the Deployment

We would want to configure the deployment we will be using next this time. I took the liberty to set up this for you.

This example deployment file does the following:

  • Create a Pod with privileged status and the NET_ADMIN capability. This allows our pod to set it's own network rules inside the host it will be scheduled in.

  • Create a Service for the Mysterium Node Frontend. This is required for you to finish the rest of the setup.

  • Create a PVC which will contain your configurations.

  • Create a Ingress using the default Traefik ingress for K3s and run it under whatever domain you put it.

Configure this according to your liking but this is the bare minimum setup you will want to go with. If all goes according to plan, it should deploy properly.

Alt Text

So when you check your Pods, our small little node should be setup!

Alt Text

Final steps

Let's log in to your Mysterium Frontend and set up the rest of the node, the default credentials is myst for username and mystberryfor the password. Change this immediately.

Alt Text

Head over to settings and set your ERC-20 ETH Address and E-mail. Setting these would allow payments to your VPN go through that wallet, and the email will let you to send bug reports to the Mysterium developers should you encounter issues.

Alt Text

With all that set up, Go to Statistics and connect to your VPN using the ID provided there. If all goes well, all three providers are available for you, which is OpenVPN, noop, and WireGuard.

Alt Text

The Mysterium client will decide by its own which is the more efficient protocol based on where you are, so don't worry about which protocol to use.

With that all set, download the Mysterium dVPN client and browse away!


Today we have learned that we can run any kind of VPN in Kubernetes as long as our nodes allow us to use NET_ADMIN capability and it's packaged accordingly.

Now you have a VPN set up, go ahead and share it to your friends and family using the Provider ID provided on Statistics for your node! You may run it without cost or run a recurring fee, just set it on your Settings.

Discussion (1)

Forem Open with the Forem app