¶ VPN
Most intranet services are brokered through auth.k-space.ee — VPN is rarely needed.
Access is provided for accessing management VLAN 23 — that's where server management interfaces such as iLO and IPMI sit. You must have a reason to obtain VPN access.
We run an OpenVPN instance on TCP 443 and UDP 1194 on router2.k-space.ee. Erki A manually generates and hands out credentials.
¶ Known issues
¶ VPN connected, but can't access K-SPACE addresses
Tailscale and a few other always-on VPNs conflict with the CGNAT IPv4 subnet (100.64.0.0/10), which is currently used in K-SPACE. Turn off Tailscale, and reconnect (every time) / ask to redo the network.
¶ *.k-space.ee not accessible.
The VPN is meant for remote access to the local networks. Don't route porn through the VPN.
¶ Gnome GUI:
Check Use this connection only for resources on its network for both IPv4 and IPv6.
¶ NetworkManager (Plasma, i3, …) GUI:
Check 'Use only for resources on this connection' for boht IPv4 and IPv6. Access the dialogue via the 'Routes…' button. Don't forget to apply changes.
¶ Docker default address pool
172.16.0.0/12 subnet is used in the K-SPACE internal network.
When using VPN these subnets are pushed to your local machine. This will clash with local Docker bridge which uses a same subnet.
Edit /etc/docker/daemon.json and change default address pool:
{
"default-address-pool":
[
{"base":"10.32.0.0/16","size":60000}
]
}