DEV.co
Open-Source DevOps · kubenetworks

kubevpn

KubeVPN is a Go-based CLI tool that creates a VPN tunnel from your local development machine into a Kubernetes cluster, enabling direct access to cluster services and pods by IP or DNS name. It runs a traffic manager pod in the cluster and uses a local TUN device to route traffic, eliminating the need to expose services externally during development.

Source: GitHub — github.com/kubenetworks/kubevpn
1.3k
GitHub stars
72
Forks
Go
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorykubenetworks/kubevpn
Ownerkubenetworks
Primary languageGo
LicenseMIT — OSI-approved
Stars1.3k
Forks72
Open issues1
Latest releasev2.11.0 (2026-07-05)
Last updated2026-07-06
Sourcehttps://github.com/kubenetworks/kubevpn

What kubevpn is

KubeVPN establishes a bidirectional VPN tunnel using a service mesh proxy architecture. It deploys a traffic manager pod (with xds and vpn containers) to the cluster, manages CIDR discovery from CNI and services, configures local routing and DNS resolution for Kubernetes service names, and intercepts inbound traffic destined for cluster resources. The tool requires root access to manage TUN devices on macOS/Linux.

Quickstart

Get the kubevpn source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/kubenetworks/kubevpn.gitcd kubevpn# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Local Kubernetes development without port-forwarding

Access cluster services directly by service name or IP from your local machine, eliminating tedious kubectl port-forward commands and simplifying integration testing workflows.

Running local services in a cluster-aware environment

Test or debug a locally-running microservice against live cluster dependencies with full network connectivity and DNS resolution, matching production network topology.

Multi-cluster or multi-namespace development

Connect to different namespaces or clusters, query services across boundaries, and develop against realistic network policies without modifying application code.

Implementation considerations

  • Requires RBAC permissions to create ServiceAccounts, Roles, RoleBindings, Deployments, and Services in the target namespace (default or user-specified).
  • Must have local administrator/root access on the dev machine to create and manage TUN network interfaces.
  • Supports kubectl krew plugin installation, standard package managers (brew, snap, scoop), and direct binary downloads—pick the distribution method matching your environment.
  • DNS resolution works for Kubernetes FQDN formats (e.g., service.namespace.svc.cluster.local) as well as short names if configured; verify cluster DNS service accessibility.
  • Traffic interception uses a service mesh approach; confirm no conflicting service mesh (Istio, Linkerd) policies or network policies block the kubevpn-traffic-manager pod.

When to avoid it — and what to weigh

  • Production traffic interception required — KubeVPN is designed for development/testing. Using it to intercept or proxy production traffic requires explicit security and compliance review.
  • Fully air-gapped or highly restricted network environments — The tool requires ability to deploy pods to the cluster and establish outbound tunnels. Strict egress filtering or policy may block operation.
  • Windows native support is not critical — Windows support is listed but installation is via Scoop/binaries. macOS and Linux have more mature package manager integration (brew, snap, krew).
  • Zero-trust or kernel-level network inspection required — KubeVPN requires elevated privileges (root/admin) to create and manage TUN devices, which may conflict with strict security posture requirements.

License & commercial use

MIT License (permissive open-source). Allows commercial use, modification, and distribution with no restrictions beyond attribution and liability disclaimers.

MIT is a standard OSI-approved permissive license with no restrictions on commercial deployment. No proprietary add-ons or commercial tiers are evident from the data. Internal commercial use, SaaS wrapping, or redistribution are permitted under MIT terms. Verify any custom modifications comply with MIT attribution if distributed.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

KubeVPN requires elevated privileges (root/admin) on the local machine to create TUN devices—typical for VPN tooling but expands attack surface if the binary is compromised. No explicit security audit or threat model published. Network traffic between local machine and cluster is tunneled but encryption/TLS status unknown from the data; review architecture documentation. RBAC permissions are created in the namespace—ensure least-privilege review with cluster admins. No data on CVE history or security reporting process.

Alternatives to consider

Telepresence (Datawire)

Mature intercept-based proxy for Kubernetes dev, with volume mount support and IDE integration. More established but heavier footprint and commercial support options.

kt-connect

Listed in topics; similar tunnel concept for Kubernetes local dev. Lighter weight but smaller community compared to KubeVPN.

minikube / local Docker Desktop Kubernetes + kubectl port-forward

Simpler alternative for minimal setups (no cluster connectivity needed), but requires manual port management and loses cluster network realism.

Software development agency

Build on kubevpn with DEV.co software developers

Install KubeVPN via brew, snap, krew, or download the binary. Deploy the traffic manager to your cluster and start developing against live services in minutes.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

kubevpn FAQ

Do I need elevated privileges to use KubeVPN?
Yes. On macOS/Linux, the tool requires root access to create and manage TUN (tunnel) devices. On Windows, administrator privileges are required. This is typical for VPN tools.
Can I run KubeVPN against multiple clusters or namespaces simultaneously?
The data shows 'kubevpn status' displays a CURRENT connection marker and connection IDs, suggesting single active connection at a time. Switching between clusters requires disconnect and reconnect.
What happens if my cluster uses a service mesh like Istio?
Unknown from the data. KubeVPN deploys a traffic-manager pod with service mesh components (xds); verify compatibility with existing mesh policies and network policies. Review the architecture wiki.
Is this tool suitable for production traffic interception?
No. KubeVPN is explicitly designed for local development. Intercepting or proxying production traffic requires security review, compliance verification, and likely a dedicated enterprise solution.

Custom software development services

Adopting kubevpn is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source devops software in production.

Ready to streamline your Kubernetes dev workflow?

Install KubeVPN via brew, snap, krew, or download the binary. Deploy the traffic manager to your cluster and start developing against live services in minutes.