kubevpn
KubeVPN is a Go-based CLI tool that creates a VPN tunnel from your local development machine into a Kubernetes cluster, enabling direct access to cluster services and pods by IP or DNS name. It runs a traffic manager pod in the cluster and uses a local TUN device to route traffic, eliminating the need to expose services externally during development.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | kubenetworks/kubevpn |
| Owner | kubenetworks |
| Primary language | Go |
| License | MIT — OSI-approved |
| Stars | 1.3k |
| Forks | 72 |
| Open issues | 1 |
| Latest release | v2.11.0 (2026-07-05) |
| Last updated | 2026-07-06 |
| Source | https://github.com/kubenetworks/kubevpn |
What kubevpn is
KubeVPN establishes a bidirectional VPN tunnel using a service mesh proxy architecture. It deploys a traffic manager pod (with xds and vpn containers) to the cluster, manages CIDR discovery from CNI and services, configures local routing and DNS resolution for Kubernetes service names, and intercepts inbound traffic destined for cluster resources. The tool requires root access to manage TUN devices on macOS/Linux.
Get the kubevpn source
Clone the repository and explore it locally.
git clone https://github.com/kubenetworks/kubevpn.gitcd kubevpn# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires RBAC permissions to create ServiceAccounts, Roles, RoleBindings, Deployments, and Services in the target namespace (default or user-specified).
- Must have local administrator/root access on the dev machine to create and manage TUN network interfaces.
- Supports kubectl krew plugin installation, standard package managers (brew, snap, scoop), and direct binary downloads—pick the distribution method matching your environment.
- DNS resolution works for Kubernetes FQDN formats (e.g., service.namespace.svc.cluster.local) as well as short names if configured; verify cluster DNS service accessibility.
- Traffic interception uses a service mesh approach; confirm no conflicting service mesh (Istio, Linkerd) policies or network policies block the kubevpn-traffic-manager pod.
When to avoid it — and what to weigh
- Production traffic interception required — KubeVPN is designed for development/testing. Using it to intercept or proxy production traffic requires explicit security and compliance review.
- Fully air-gapped or highly restricted network environments — The tool requires ability to deploy pods to the cluster and establish outbound tunnels. Strict egress filtering or policy may block operation.
- Windows native support is not critical — Windows support is listed but installation is via Scoop/binaries. macOS and Linux have more mature package manager integration (brew, snap, krew).
- Zero-trust or kernel-level network inspection required — KubeVPN requires elevated privileges (root/admin) to create and manage TUN devices, which may conflict with strict security posture requirements.
License & commercial use
MIT License (permissive open-source). Allows commercial use, modification, and distribution with no restrictions beyond attribution and liability disclaimers.
MIT is a standard OSI-approved permissive license with no restrictions on commercial deployment. No proprietary add-ons or commercial tiers are evident from the data. Internal commercial use, SaaS wrapping, or redistribution are permitted under MIT terms. Verify any custom modifications comply with MIT attribution if distributed.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Strong |
| Assessment confidence | High |
KubeVPN requires elevated privileges (root/admin) on the local machine to create TUN devices—typical for VPN tooling but expands attack surface if the binary is compromised. No explicit security audit or threat model published. Network traffic between local machine and cluster is tunneled but encryption/TLS status unknown from the data; review architecture documentation. RBAC permissions are created in the namespace—ensure least-privilege review with cluster admins. No data on CVE history or security reporting process.
Alternatives to consider
Telepresence (Datawire)
Mature intercept-based proxy for Kubernetes dev, with volume mount support and IDE integration. More established but heavier footprint and commercial support options.
kt-connect
Listed in topics; similar tunnel concept for Kubernetes local dev. Lighter weight but smaller community compared to KubeVPN.
minikube / local Docker Desktop Kubernetes + kubectl port-forward
Simpler alternative for minimal setups (no cluster connectivity needed), but requires manual port management and loses cluster network realism.
Build on kubevpn with DEV.co software developers
Install KubeVPN via brew, snap, krew, or download the binary. Deploy the traffic manager to your cluster and start developing against live services in minutes.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
kubevpn FAQ
Do I need elevated privileges to use KubeVPN?
Can I run KubeVPN against multiple clusters or namespaces simultaneously?
What happens if my cluster uses a service mesh like Istio?
Is this tool suitable for production traffic interception?
Custom software development services
Adopting kubevpn is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source devops software in production.
Ready to streamline your Kubernetes dev workflow?
Install KubeVPN via brew, snap, krew, or download the binary. Deploy the traffic manager to your cluster and start developing against live services in minutes.