Don't masquerade for all outgoing traffic by default. (#18)

Don't masquerade for all outgoing traffic by default.

README.md

@@ -48,7 +48,7 @@ With the pki still in `$PWD/pki` we can create a new VPN user and grab the `.ovp
 ```
 # Generate VPN client credentials for CLIENTNAME without password protection; leave 'nopass' out to enter password
 $ docker run --user=$(id -u) -v $PWD:/etc/openvpn -ti ptlange/openvpn easyrsa build-client-full CLIENTNAME nopass
-$ docker run --user=$(id -u)-e OVPN_SERVER_URL=tcp://vpn.my.fqdn:1194 -v $PWD:/etc/openvpn --rm ptlange/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
+$ docker run --user=$(id -u) -e OVPN_SERVER_URL=tcp://vpn.my.fqdn:1194 -v $PWD:/etc/openvpn --rm ptlange/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
 ```
 
 `CLIENTNAME.ovpn` can now be used to connect to the cluster and interact with k8s services and pods directly. Whoohoo!

entrypoint.sh

@@ -50,7 +50,12 @@ OVPN_K8S_POD_NETWORK_ROUTE=$(getroute $OVPN_K8S_POD_NETWORK)
 
 envsubst < $OVPN_TEMPLATE > $OVPN_CONFIG
 
-iptables -t nat -A POSTROUTING -s ${OVPN_NETWORK} -o ${OVPN_NATDEVICE} -j MASQUERADE
+if [ $OVPN_DEFROUTE -gt 0 ]; then
+    iptables -t nat -A POSTROUTING -s ${OVPN_NETWORK} -o ${OVPN_NATDEVICE} -j MASQUERADE
+else
+    iptables -t nat -A POSTROUTING -s ${OVPN_NETWORK} -d $OVPN_K8S_POD_NETWORK -o ${OVPN_NATDEVICE} -j MASQUERADE
+    iptables -t nat -A POSTROUTING -s ${OVPN_NETWORK} -d $OVPN_K8S_SERVICE_NETWORK -o ${OVPN_NATDEVICE} -j MASQUERADE
+fi
 
 # Use client configuration directory if it exists.
 if [ -d "$OVPN_CCD" ]; then
@@ -76,8 +81,8 @@ if [ -r "$EASYRSA_PKI/crl.pem" ]; then
 fi
 
 if [ $DEBUG ]; then
-  echo "openvpn.conf:"
-  cat $OVPN_CONFIG
+    echo "openvpn.conf:"
+    cat $OVPN_CONFIG
 fi
 
 echo "$(date "+%a %b %d %H:%M:%S %Y") Running 'openvpn ${ARGS[@]} ${USER_ARGS[@]}'"