The VPN is dead long live the.....
For those who have not heard of Twingate, which until about 24 hours ago included me, is a company looking to rid The World of VPNs. As someone who has setup a few over the years I was immediately drawn to this new product which stated:
Replace corporate VPNs with a more secure, usable and performant zero trust access solution
Well i'm sold! Let's dive in!
Firstly if you haven't already got a Civo K3s account, i'll forgive you just this once, head over to Civo to join the KUBE100 BETA and get $70 credit each month! Amazing right!
From this point on I'm assuming you're all setup on Civo, have kubectl installed and can connect to the cluster.
Twingate Account Setup
Setting up an account is pretty painless, there is a free tier for personal use and testing Sign up here.
Once you have your account you need to create a network:
Click to add a new network:
Name your new network:
Once you have a network we want to create a connector in that network:
Next generate a token:
You will then need to authenticate again and you should see the docker script.
Now copy and paste this to a text file as you will need the values to populate your manifest. You can close this screen.
For the purpose of this demo i'll just create a pod, but you can obviously use a deployment here.
Copy and paste the below template to a new file called twingate.yml populating the fields labeled ENTER HERE with the values you copied earlier.
apiVersion: v1 kind: Pod metadata: name: ENTER HERE spec: containers: - env: - name: TWINGATE_URL value: ENTER HERE - name: TWINGATE_ACCESS_TOKEN value: ENTER HERE - name: TWINGATE_REFRESH_TOKEN value: ENTER HERE - name: LOG_LEVEL value: "3" image: twingate/connector:1 imagePullPolicy: Always name: connector resources: requests: cpu: 50m memory: 1G restartPolicy: Always
Now let's apply this manifest:
kubectl apply -f twingate.yml
Now going back to the Twingate console you should see in a few seconds your connector is available:
Now we need to create a resource, click the add resource button you can fill in some details of an internal service. In my example it's a Grafana service:
As you will notice you can use DNS records or IP addresses here.
After a couple of minutes the resource will show green:
This means all is well and we can move onto the remote connection:
You can download the correct application for you device from here
Once you have it downloaded, open the app and authenticate using your credentials.
Once it shows as connected you can try accessing your resource:
It takes a minute or so to register so if it doesn't work immediately just wait a little while
Viola! You now have remote access into a single specific service in your K3s cluster. You can obviously expand this to more services or subnets if you like.