Skip to content

VPN Overlays & Remote Access

When building a bare-metal cluster, security is paramount. By default, your cluster operates on a private, un-routable local area network (e.g., 192.168.1.0/24).

While this prevents attackers on the internet from directly connecting to your Kubernetes API, it also prevents you from managing your cluster when you leave your house.

The Perimeter Problem (Port Forwarding)

Historically, the solution to remote access was to open a port on your home router (Port Forwarding) and expose an SSH bastion host or an OpenVPN server to the public internet.

The moment you open a port to the internet, it will be scanned and attacked by automated botnets within minutes. If there is a zero-day vulnerability in your SSH daemon or OpenVPN server, your entire home network is compromised.

Mesh VPNs (WireGuard / Tailscale)

Modern infrastructure has shifted away from perimeter defense toward "Zero Trust" Mesh VPNs.

Instead of opening a hole in your router's firewall, a Mesh VPN like Tailscale uses WireGuard to create outbound encrypted tunnels. Because the connection is initiated outbound from inside your network, your router's firewall allows the traffic, and no incoming ports need to be exposed.

Point-to-Point Overlay

Unlike a traditional VPN that funnels all your traffic through a central choke-point, a Mesh VPN establishes direct peer-to-peer encrypted tunnels between your devices.

When you install Tailscale on your MacBook and on a Kubernetes node, they are both assigned an IP address on a shared, encrypted virtual network (e.g., 100.x.y.z). You can SSH into the node using its 100.x IP address, regardless of where either device is physically located in the world.

The Subnet Router Pattern

Installing a VPN agent on every single pod and node in a Kubernetes cluster is often computationally heavy and difficult to maintain.

Instead, we use the Subnet Router pattern.

  1. The Gateway: You install Tailscale on a single, dedicated node in your cluster (e.g., k8s-worker-02).
  2. The Advertisement: You configure that node to advertise your physical local subnet (e.g., 192.168.1.0/24) to the Tailscale network.
  3. The Bridge: When you are at a coffee shop and attempt to ssh to 192.168.1.51 (your Control Plane), the Tailscale agent on your MacBook intercepts the traffic. It encrypts the packet and sends it over the internet to k8s-worker-02.
  4. The Decapsulation: k8s-worker-02 receives the packet, decrypts it, and forwards the raw SSH request onto the physical Ethernet switch. The Control Plane receives the request as if it originated from inside the local network.

This architecture grants you full, secure access to your bare-metal cluster—including the kube-vip endpoints—without ever exposing a single port to the public internet.