Merge pull request #449 from kubenetworks/tun-ip-cidr

feat: change tun ip cidr

Author: yuyicai

README.md

@@ -656,7 +656,7 @@ OK: 8 MiB in 19 packages
 Hello world!/opt/microservices # 
 
 /opt/microservices # curl authors:9080/health -H "foo: bar"
->>Received request: GET /health from 223.254.0.109:57930
+>>Received request: GET /health from 198.19.0.109:57930
                                                         Hello world!/opt/microservices # 
 /opt/microservices # curl localhost:9080/health
 {"status":"Authors is healthy"}/opt/microservices # exit

README_ZH.md

@@ -580,7 +580,7 @@ OK: 8 MiB in 19 packages
 Hello world!/opt/microservices # 
 
 /opt/microservices # curl authors:9080/health -H "foo: bar"
->>Received request: GET /health from 223.254.0.109:57930
+>>Received request: GET /health from 198.19.0.109:57930
                                                         Hello world!/opt/microservices # 
 /opt/microservices # curl localhost:9080/health
 {"status":"Authors is healthy"}/opt/microservices # exit

charts/kubevpn/templates/deployment.yaml

@@ -52,13 +52,13 @@ spec:
             - -c
           env:
             - name: CIDR4
-              value: 223.254.0.0/16
+              value: 198.19.0.0/16
             - name: CIDR6
-              value: efff:ffff:ffff:ffff::/64
+              value: 2001:2::/64
             - name: TunIPv4
-              value: 223.254.0.100/16
+              value: 198.19.0.100/16
             - name: TunIPv6
-              value: efff:ffff:ffff:ffff:ffff:ffff:ffff:9999/64
+              value: 2001:2::9999/64
           envFrom:
             - secretRef:
                 name: {{ include "kubevpn.fullname" . }}

cmd/kubevpn/cmds/serve.go

@@ -31,7 +31,7 @@ func CmdServe(_ cmdutil.Factory) *cobra.Command {
 		`)),
 		Example: templates.Examples(i18n.T(`
         # serve node
-        kubevpn serve -L "tcp://:10800" -L "tun://127.0.0.1:8422?net=223.254.0.123/32"
+        kubevpn serve -L "tcp://:10800" -L "tun://127.0.0.1:8422?net=198.19.0.123/32"
 		`)),
 		PreRun: func(*cobra.Command, []string) {
 			util.InitLoggerForServer(config.Debug)

cmd/kubevpn/cmds/ssh.go

@@ -26,7 +26,7 @@ import (
 )
 
 // CmdSSH
-// Remember to use network mask 32, because ssh using unique network CIDR 223.255.0.0/16
+// Remember to use network mask 32, because ssh using unique network CIDR 198.18.0.0/16
 func CmdSSH(_ cmdutil.Factory) *cobra.Command {
 	var sshConf = &pkgssh.SshConfig{}
 	var extraCIDR []string

cmd/kubevpn/cmds/sshdaemon.go

@@ -14,7 +14,7 @@ import (
 )
 
 // CmdSSHDaemon
-// set local tun ip 223.254.0.1/32, remember to use mask 32
+// set local tun ip 198.19.0.1/32, remember to use mask 32
 func CmdSSHDaemon(_ cmdutil.Factory) *cobra.Command {
 	var clientIP string
 	cmd := &cobra.Command{
@@ -24,7 +24,7 @@ func CmdSSHDaemon(_ cmdutil.Factory) *cobra.Command {
 		Long:   templates.LongDesc(i18n.T(`Ssh daemon server`)),
 		Example: templates.Examples(i18n.T(`
         # SSH daemon server
-        kubevpn ssh-daemon --client-ip 223.254.0.123/32
+        kubevpn ssh-daemon --client-ip 198.19.0.123/32
 		`)),
 		PreRunE: func(cmd *cobra.Command, args []string) error {
 			err := daemon.StartupDaemon(cmd.Context())

cmd/kubevpn/cmds/status_test.go

@@ -29,8 +29,8 @@ func TestPrintProxyAndClone(t *testing.T) {
 						RuleList: []*rpc.ProxyRule{
 							{
 								Headers:       map[string]string{"user": "naison"},
-								LocalTunIPv4:  "223.254.0.103",
-								LocalTunIPv6:  "efff:ffff:ffff:ffff:ffff:ffff:ffff:999d",
+								LocalTunIPv4:  "198.19.0.103",
+								LocalTunIPv6:  "2001:2::999d",
 								CurrentDevice: false,
 								PortMap:       map[int32]int32{8910: 8910},
 							},
@@ -98,8 +98,8 @@ func TestPrintProxy(t *testing.T) {
 						RuleList: []*rpc.ProxyRule{
 							{
 								Headers:       map[string]string{"user": "naison"},
-								LocalTunIPv4:  "223.254.0.103",
-								LocalTunIPv6:  "efff:ffff:ffff:ffff:ffff:ffff:ffff:999d",
+								LocalTunIPv4:  "198.19.0.103",
+								LocalTunIPv6:  "2001:2::999d",
 								CurrentDevice: false,
 								PortMap:       map[int32]int32{8910: 8910},
 							},

pkg/config/config.go

@@ -35,7 +35,10 @@ const (
 	VolumeEnvoyConfig = "envoy-config"
 	VolumeSyncthing   = "syncthing"
 
-	innerIPv4Pool = "223.254.0.100/16"
+	// innerIPv4Pool is used as tun ip
+	// 198.19.0.0/16 network  is part of the 198.18.0.0/15 (reserved for benchmarking).
+	// https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
+	innerIPv4Pool = "198.19.0.100/16"
 	// 原因：在docker环境中，设置docker的 gateway 和 subnet，不能 inner 的冲突，也不能和 docker的 172.17 冲突
 	// 不然的话，请求会不通的
 	// 解决的问题：在 k8s 中的  名叫 kubernetes 的 service ip 为
@@ -51,10 +54,11 @@ const (
 	//  }
 	//]
 	// 如果不创建 network，那么是无法请求到 这个 kubernetes 的 service 的
-	dockerInnerIPv4Pool = "223.255.0.100/16"
+	dockerInnerIPv4Pool = "198.18.0.100/16"
 
-	//The IPv6 address prefixes FE80::/10 and FF02::/16 are not routable
-	innerIPv6Pool = "efff:ffff:ffff:ffff:ffff:ffff:ffff:9999/64"
+	// 2001:2::/64 network is part of the 2001:2::/48 (reserved for benchmarking)
+	// https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
+	innerIPv6Pool = "2001:2::9999/64"
 
 	DefaultNetDir = "/etc/cni/net.d"
 
@@ -116,10 +120,23 @@ var (
 )
 
 func init() {
-	RouterIP, CIDR, _ = net.ParseCIDR(innerIPv4Pool)
-	RouterIP6, CIDR6, _ = net.ParseCIDR(innerIPv6Pool)
-	DockerRouterIP, DockerCIDR, _ = net.ParseCIDR(dockerInnerIPv4Pool)
-	dir, _ := os.UserHomeDir()
+	var err error
+	RouterIP, CIDR, err = net.ParseCIDR(innerIPv4Pool)
+	if err != nil {
+		panic(err)
+	}
+	RouterIP6, CIDR6, err = net.ParseCIDR(innerIPv6Pool)
+	if err != nil {
+		panic(err)
+	}
+	DockerRouterIP, DockerCIDR, err = net.ParseCIDR(dockerInnerIPv4Pool)
+	if err != nil {
+		panic(err)
+	}
+	dir, err := os.UserHomeDir()
+	if err != nil {
+		panic(err)
+	}
 	DaemonPath = filepath.Join(dir, HOME, Daemon)
 	HomePath = filepath.Join(dir, HOME)
 	PprofPath = filepath.Join(dir, HOME, Daemon, PProfDir)

pkg/core/gvisortunendpoint.go

@@ -97,7 +97,7 @@ func (h *gvisorTCPHandler) readFromTCPConnWriteToEndpoint(ctx context.Context, c
 		}
 
 		h.addRoute(src, conn)
-		// inner ip like 223.254.0.100/102/103 connect each other
+		// inner ip like 198.19.0.100/102/103 connect each other
 		if config.CIDR.Contains(dst) || config.CIDR6.Contains(dst) {
 			log.Tracef("[TUN-RAW] Forward to TUN device, SRC: %s, DST: %s, Length: %d", src.String(), dst.String(), read)
 			util.SafeWrite(h.packetChan, &datagramPacket{

pkg/core/route.go

@@ -27,9 +27,9 @@ type TCPUDPacket struct {
 }
 
 // Route example:
-// -L "tcp://:10800" -L "tun://:8422?net=223.254.0.100/16"
-// -L "tun:/10.233.24.133:8422?net=223.254.0.102/16&route=223.254.0.0/16"
-// -L "tun:/127.0.0.1:8422?net=223.254.0.102/16&route=223.254.0.0/16,10.233.0.0/16" -F "tcp://127.0.0.1:10800"
+// -L "tcp://:10800" -L "tun://:8422?net=198.19.0.100/16"
+// -L "tun:/10.233.24.133:8422?net=198.19.0.102/16&route=198.19.0.0/16"
+// -L "tun:/127.0.0.1:8422?net=198.19.0.102/16&route=198.19.0.0/16,10.233.0.0/16" -F "tcp://127.0.0.1:10800"
 type Route struct {
 	ServeNodes []string // -L tun
 	ChainNode  string   // -F tcp

pkg/daemon/daemon.go

@@ -99,7 +99,7 @@ func (o *SvrOption) Start(ctx context.Context) error {
 	grpc_health_v1.RegisterHealthServer(svr, health.NewServer())
 	defer cleanup()
 	reflection.Register(svr)
-	// [tun-client] 223.254.0.101 - 127.0.0.1:8422: dial tcp 127.0.0.1:55407: connect: can't assign requested address
+	// [tun-client] 198.19.0.101 - 127.0.0.1:8422: dial tcp 127.0.0.1:55407: connect: can't assign requested address
 	http.DefaultTransport.(*http.Transport).MaxIdleConnsPerHost = 100
 	// startup a http server
 	// With downgrading-capable gRPC server, which can also handle HTTP.

pkg/dev/docker_utils.go

@@ -90,7 +90,7 @@ func RunLogsSinceNow(name string, follow bool) error {
 }
 
 // CreateNetwork
-// docker create kubevpn-traffic-manager --labels owner=config.ConfigMapPodTrafficManager --subnet 223.255.0.0/16 --gateway 223.255.0.100
+// docker create kubevpn-traffic-manager --labels owner=config.ConfigMapPodTrafficManager --subnet 198.18.0.0/16 --gateway 198.18.0.100
 func CreateNetwork(ctx context.Context, name string) (string, error) {
 	args := []string{
 		"network",

pkg/handler/connect.go

@@ -905,6 +905,44 @@ func (c *ConnectOptions) upgradeDeploy(ctx context.Context) error {
 		_, err = polymorphichelpers.UpdatePodSpecForObjectFn(obj, func(spec *v1.PodSpec) error {
 			for i := range spec.Containers {
 				spec.Containers[i].Image = clientImg
+
+				// update tun cidr for vpn
+				if spec.Containers[i].Name == config.ContainerSidecarVPN {
+					innerIpv4CIDR := net.IPNet{IP: config.RouterIP, Mask: config.CIDR.Mask}
+					innerIpv6CIDR := net.IPNet{IP: config.RouterIP6, Mask: config.CIDR6.Mask}
+					envVars := []v1.EnvVar{
+						{
+							Name:  "CIDR4",
+							Value: config.CIDR.String(),
+						},
+						{
+							Name:  "CIDR6",
+							Value: config.CIDR6.String(),
+						},
+						{
+							Name:  config.EnvInboundPodTunIPv4,
+							Value: innerIpv4CIDR.String(),
+						},
+						{
+							Name:  config.EnvInboundPodTunIPv6,
+							Value: innerIpv6CIDR.String(),
+						},
+					}
+
+					for _, env := range envVars {
+						found := false
+						for j, existing := range spec.Containers[i].Env {
+							if existing.Name == env.Name {
+								spec.Containers[i].Env[j].Value = env.Value
+								found = true
+								break
+							}
+						}
+						if !found {
+							spec.Containers[i].Env = append(spec.Containers[i].Env, env)
+						}
+					}
+				}
 			}
 			return nil
 		})

pkg/inject/exchange.go

@@ -79,7 +79,7 @@ func AddContainer(spec *corev1.PodSpec, c util.PodRouteConfig) {
 		},
 		Command: []string{"/bin/sh", "-c"},
 		// https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html#ss6.2
-		// for curl -g -6 [efff:ffff:ffff:ffff:ffff:ffff:ffff:999a]:9080/health or curl 127.0.0.1:9080/health hit local PC
+		// for curl -g -6 [2001:2::999a]:9080/health or curl 127.0.0.1:9080/health hit local PC
 		// output chain
 		// iptables -t nat -A OUTPUT -o lo ! -p icmp -j DNAT --to-destination ${LocalTunIPv4}
 		// ip6tables -t nat -A OUTPUT -o lo ! -p icmp -j DNAT --to-destination ${LocalTunIPv6}

pkg/util/networkpolicy_windows.go

@@ -96,7 +96,7 @@ func decode(in []byte) ([]byte, error) {
 // AddAllowFirewallRule
 // for ping local tun device ip, if not add this firewall, can not ping local tun IP on windows
 func AddAllowFirewallRule(ctx context.Context) {
-	// netsh advfirewall firewall add rule name=kubevpn-traffic-manager dir=in action=allow enable=yes remoteip=223.254.0.100/16,efff:ffff:ffff:ffff:ffff:ffff:ffff:9999/64,LocalSubnet
+	// netsh advfirewall firewall add rule name=kubevpn-traffic-manager dir=in action=allow enable=yes remoteip=198.19.0.100/16,2001:2::9999/64,LocalSubnet
 	cmd := exec.CommandContext(ctx, "netsh", []string{
 		"advfirewall",
 		"firewall",

pkg/util/util_test.go

@@ -65,8 +65,8 @@ func TestName(t *testing.T) {
 
 func TestPing(t *testing.T) {
 	defer util.Run()()
-	SrcIP := net.ParseIP("223.254.0.102").To4()
-	DstIP := net.ParseIP("223.254.0.100").To4()
+	SrcIP := net.ParseIP("198.19.0.102").To4()
+	DstIP := net.ParseIP("198.19.0.100").To4()
 
 	icmpLayer := layers.ICMPv4{
 		TypeCode: layers.CreateICMPv4TypeCode(layers.ICMPv4TypeEchoRequest, 0),

pkg/webhook/pods.go

@@ -72,7 +72,7 @@ func (h *admissionReviewHandler) handleCreate(ar v1.AdmissionReview) *v1.Admissi
 		return &v1.AdmissionResponse{UID: ar.Request.UID, Allowed: true}
 	}
 	// if create pod kubevpn-traffic-manager, just ignore it
-	// because 223.254.0.100 is reserved
+	// because 198.19.0.100 is reserved
 	if x, _, _ := net.ParseCIDR(value); config.RouterIP.Equal(x) {
 		return &v1.AdmissionResponse{UID: ar.Request.UID, Allowed: true}
 	}
@@ -163,7 +163,7 @@ func (h *admissionReviewHandler) handleDelete(ar v1.AdmissionReview) *v1.Admissi
 		return &v1.AdmissionResponse{Allowed: true}
 	}
 	// if delete pod kubevpn-traffic-manager, just ignore it
-	// because 223.254.0.100 is reserved
+	// because 198.19.0.100 is reserved
 	if x, _, _ := net.ParseCIDR(value); config.RouterIP.Equal(x) {
 		return &v1.AdmissionResponse{Allowed: true}
 	}