To deploy OpenVPN using a deployment.yaml file directly in a k3s Kubernetes cluster, follow these steps to create the necessary Kubernetes resources such as the Deployment, Service, and ConfigMap to configure and run OpenVPN.
Step 1: Create a Deployment for OpenVPN
Here is the deployment.yaml for the OpenVPN server:
apiVersion: apps/v1
kind: Deployment
metadata:
name: openvpn-as
labels:
app: openvpn-as
spec:
replicas: 1
selector:
matchLabels:
app: openvpn-as
template:
metadata:
labels:
app: openvpn-as
spec:
containers:
- name: openvpn-as
image: openvpn/openvpn-as
ports:
- containerPort: 943
- containerPort: 443
- containerPort: 1194
protocol: UDP
volumeMounts:
- name: openvpn-data
mountPath: /openvpn
securityContext:
capabilities:
add:
- NET_ADMIN
volumes:
- name: openvpn-data
nfs:
server: 192.168.1.120
path: /mnt/kubernetes/volume/openvpn
readOnly: false
Step 2: Create a Service for OpenVPN
To expose the OpenVPN deployment, create a Service that will allow external access to the OpenVPN server:
apiVersion: v1
kind: Service
metadata:
name: openvpn-as-vpn
labels:
app: openvpn-as
spec:
type: LoadBalancer
selector:
app: openvpn-as
ports:
- name: vpn
port: 1194
targetPort: 1194
protocol: UDPIn OpenVPN, UDP 1194 port is used for the following purposes:
- UDP port 1194 is the default port used by OpenVPN for establishing a secure VPN connection between the client and the server.
- OpenVPN uses this port to facilitate encrypted communication using the User Datagram Protocol (UDP), which is typically chosen for its lower latency compared to Transmission Control Protocol (TCP).
Create another service to access the Web UI
apiVersion: v1
kind: Service
metadata:
name: openvpn-as-web
namespace: homelab-prod
labels:
app: openvpn-as
spec:
type: LoadBalancer
selector:
app: openvpn-as
ports:
- name: web
port: 943
targetPort: 943
protocol: TCP
- name: https
port: 443
targetPort: 443
protocol: TCPIn OpenVPN, ports 443 and 943 are used for the following purposes:
- TCP 443The default port for HTTPS, which allows OpenVPN to bypass firewall restrictions on public networks. It can also be used as a fallback if UDP is blocked.
- TCP 943The port for the administrative web interface and the client web interface.
Step 3: Apply the YAML Files
Now, apply the Deployment, and Service:
kubectl apply -f deployment.yaml
kubectl apply -f service.yamlStep 4: Sign in to the Admin Web UI:
You’ve installed Access Server, and the pod is running. You can now sign in to the Admin Web UI, a web-based GUI for managing your VPN server
The Admin Web UI is available at https://LOAD-BALANCER-IP:943/admin.
Find the temporary password
The default user is openvpn and you can find the temporary password created with the initial Access Server configuration in the container logs:
- With the pod running, display the logs with this command:
kubectl logs -f {pod-name}- The Access Server Initial Configuration Tool output displays.
- Scroll to find the line, Auto-generated pass = “<password>”. Setting in db…
- Use the generated password with the openvpn username to sign in to the Admin Web UI.
Sign in as an administrator
To access and sign in to the Admin Web UI:
- Open a web browser.
- Enter the Admin Web UI URL, available at https://LOAD-BALANCER-IP:943/admin.
- A security warning displays. Access Server uses a self-signed SSL certificate. We recommend replacing it with a signed certificate. Refer to SSL Certificates.
- Click through the security warning.
- The Admin Login displays.
- Enter the openvpn username with the temporary password and click Sign In.
- The EULA displays for you to read through, accept, and proceed to the Admin Web UI configuration pages.
To download the Client https://LOAD-BALANCER-IP:943 and log-in with the same username and password
Once you have logged in, you will see a page like this based on your Operating System.
Step 5: Configuring User and Subnet:
User Creation:
Login to the admin page -> user management -> user permissions. Type the Username which you want to create and also check the admin box if he is admin user.
To Set the password for the user click More Settings options.
Enter the new password here, click Save Settings at the bottom of the page, and then click Update Server after saving the settings.
Now download the OpenVPN profile for auto connection, to do go to admin page -> user management -> user profiles -> New Profile (for the new user).
Now choose the method you want to connect with and click Create. It will download the .ovpn profile file.
Note:
Don’t forget to update the port on your router
Now edit the downloaded file and replace the IP with your public IP address wherever the IP address is mentioned.
Now we are ready to make the connection. To do this, install the OpenVPN client on your device, open it, and click on the + button.
Chose upload file
Select the file that we just edited by clicking Browse.
Click Connect to establish the connection.
We are successfully connected to the OpenVPN pod.
Subnet Config:
To access multiple subnets, go to the Admin page → Configuration → VPN Settings. Under Routing, add your subnet here, then save and update the server to apply the changes.
I was just searching for this info for some time. After six hours of continuous Googleing, at last I got it in your web site. I wonder what is the lack of Google strategy that do not rank this kind of informative websites in top of the list. Normally the top websites are full of garbage.
Thank you for the kind words! I’m glad you found the information you were looking for here after such a long search. It’s true that search results can sometimes miss highlighting genuinely helpful sites, but feedback like yours reminds us that sharing useful, clear content is worth the effort. If there’s anything else you’re looking for or need further details on, feel free to ask—I’m happy to help!