Routing traffic through OpenVPN on Kubernetes with Calico

I am running a kubernetes cluster on the IBM container service.

I have an OpenVPN pod set up, which successfully allows clients to connect. Clients have fixed IPs assigned using CCD (in the range 10.240.0.0/16).

I would like other pods in my cluster (in 172.30.42.0/24) to be able to access clients connected via OpenVPN.

I have attempted to implement this by adding a route to the host node:

ip route add 10.240.0.0/16 via 172.30.42.65 (where 172.30.42.65 is the OpenVPN pod)

This, briefly, allows traffic from other pods on the node to route traffic to OpenVPN clients. Unfortunately, Calico's Felix removes the root after a short period.

Is it possible to set up a route from nodes to VPN clients via the VPN server pod, accepting that Calico appears to be enforced by IBM?

I've seen https://github.com/pieterlange/kube-openvpn, which achieves something close using port forwarding. This, however, is dependent on setting up a port forward rule for every VPN client, which I'd rather avoid (it feels like we're re-inventing routing with this solution...)

I'd assumed that this would be achievable with Calico config, but I can't find anything that appears to do the right thing in their documentation.


Calico has an annotation where you can specifying the IP address for Pod:

annotations:
        "cni.projectcalico.org/ipAddrs": "[\"192.168.0.1\"]"

You can specify address for your OpenVPN pod in the annotation and then create the static rout for OpenVPN clients.