I recently found my self in a situation where my Kubernetes node needed to access Google Search from another network, where the IP address of the node was blocked.
I could have setup a VPN on the node, but I didn’t want to deal with the hassle of setting up and maintaining a VPN. I also didn’t want to setup a bastion host and open up another attack vector into my network.
I decided to setup a socks proxy using SSH.
VPS
I set up a VPS on MikroVPS located in Frankfurt, Germany. I also restricted the SSH access to the VPS to only the IP address of the node.
iptables -A INPUT -s <NODE_IP>/32 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP
Allocate a static IP address
I allocated a static IP address (10.1.0.1) on the Kubernetes node, bound to the lo
interface.
I made it permanent by adding the following to the nodes netplan configuration:
network:
...
ethernets:
lo:
addresses:
- 127.0.0.1/8
- 10.1.0.1/32
Setup SSH SOCKS Proxy Service on Kubernetes Node
I setup an SSH SOCKS proxy service on the Kubernetes node using the following systemd service file:
[Unit]
Description=SSH Tunnel for 10.1.0.1 SOCKS PROXY to Remote Host
After=network.target
[Service]
User=NONROOTUSER
ExecStart=/usr/bin/ssh -i /home/NONROOTUSER/key -N -D 10.1.0.1:1080 [email protected]
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
Ensure the service is enabled and started:
sudo systemctl enable ssh-socks-proxy.service --now
Test the SOCKS Proxy
I tested the SOCKS proxy by running the following command from the Kubernetes node:
curl -x socks5://10.1.0.1 https://www.google.com