A production-ready Helm chart for deploying Twingate to create Exit Networks in any Kubernetes cluster.
⚠️ Internal Use Only: This project can only be used for personal or internal use. Please do not use this project or Twingate to offer a commercial VPN service. Also note that bandwidth usage through Twingate infrastructure is subject to Twingate's Fair Use Policy.
This Helm chart is designed as a standalone, reusable component that can be deployed to any Kubernetes cluster to create Twingate Exit Networks. It leverages the official Twingate Kubernetes operator to manage Connector lifecycle and provides enterprise-ready defaults.
┌─────────────────────────────────┐
│ Kubernetes Cluster │
│ │
│ ┌─────────────────────────────┐ │
│ │ twingate namespace │ │
│ │ │ │
│ │ ┌─────────────────────┐ │ │
│ │ │ Twingate Operator │ │ │
│ │ │ (from OCI registry) │ │ │
│ │ └─────────────────────┘ │ │
│ │ │ │ │
│ │ ▼ │ │
│ │ ┌─────────────────────┐ │ │
│ │ │ TwingateConnector │ │ │
│ │ │ (CRD) │ │ │
│ │ └─────────────────────┘ │ │
│ │ │ │ │
│ │ ▼ │ │
│ │ ┌─────────────────────┐ │ │
│ │ │ Connector Pod(s) │ │ │
│ │ │ (auto-managed) │ │ │
│ │ └─────────────────────┘ │ │
│ └─────────────────────────────┘ │
└─────────────────────────────────┘
✅ Universal Compatibility: Works with any Kubernetes cluster (cloud or on-premises) ✅ Official Integration: Uses Twingate's official Kubernetes operator ✅ Zero Configuration: Sensible defaults with minimal required configuration ✅ Highly Configurable: Extensive customization options via Helm values ✅ GitOps Friendly: Declarative configuration suitable for CI/CD pipelines ✅ Multi-Tenancy: Support for namespace restrictions and RBAC
- Kubernetes: v1.19+ (tested up to v1.28)
- Helm: v3.8+
- Network Access: Cluster must reach Twingate cloud services (*.twingate.com)
- Twingate Home or other subscription plan that includes Exit Networks (not available on Starter plan)
- Twingate Account: Admin access to create API tokens
- Twingate Network: Your tenant name (e.g.,
company.twingate.com→company) - Twingate API Key: Generated from Admin Console → Settings → API
- Remote Network ID: Created in Twingate Admin Console (or use existing)
git clone https://github.com/Twingate-Community/diy-vpn.git
cd diy-vpn/helm# Download the Twingate operator chart
helm dependency updateCreate your values.yaml from the example:
cp values.example.yaml values.yamlEdit values.yaml with your Twingate configuration:
twingate-operator:
twingateOperator:
network: "your-company" # https://{network}.twingate.com
apiKey: "your_twingate_api_key_here" # https://{network}.twingate.com/settings/api
remoteNetworkId: "" # https://{network}.twingate.com/exit-networks/{remoteNetworkId}
logFormat: "json" # Optional: json or text
logVerbosity: "info" # Optional: debug, info, warn, error# Install to current cluster
helm install diy-vpn . \
--namespace twingate \
--create-namespace \
--values values.yaml
# Or specify custom release name and namespace
helm install my-vpn-exit . \
--namespace my-vpn \
--create-namespace \
--values values.yaml# Check deployment status
helm status diy-vpn -n twingate
# Verify operator is running
kubectl get pods -n twingate
# Check connector resource
kubectl get twingateconnectors -n twingate
# View operator logs
kubectl logs -l app.kubernetes.io/name=twingate-operator -n twingate| Parameter | Description | Example | Notes |
|---|---|---|---|
network |
Twingate tenant name | "mycompany" |
From mycompany.twingate.com |
apiKey |
Twingate API token | "wUsHFayeWt..." |
From Admin Console → Settings → API |
remoteNetworkId |
Exit network ID | "UmVtb3RlT..." |
Select an Exit Network and copy the ID from the URL |
| Parameter | Description | Default | Options |
|---|---|---|---|
logFormat |
Log output format | "json" |
"json", "text" |
logVerbosity |
Logging level | "info" |
"debug", "info", "warn", "error" |
namespaces |
Operator scope | [] (all) |
Array of namespace patterns |
# Standard installation
helm install diy-vpn . -f values.yaml -n twingate --create-namespace
# Installation with custom release name
helm install my-vpn-exit . -f values.yaml -n my-namespace --create-namespace
# Dry run to test configuration
helm install diy-vpn . -f values.yaml -n twingate --dry-run --debug# Update dependencies first
helm dependency update
# Upgrade existing release
helm upgrade diy-vpn . -f values.yaml -n twingate
# Upgrade with new values
helm upgrade diy-vpn . -f values-new.yaml -n twingate
# Rollback if needed
helm rollback diy-vpn 1 -n twingate# Remove Helm release
helm uninstall diy-vpn -n twingate
# Clean up remaining resources (if needed)
kubectl delete twingateconnectors --all -n twingate
kubectl delete namespace twingate| Issue | Symptoms | Solution |
|---|---|---|
| Operator CrashLoopBackOff | Pod keeps restarting | Check API credentials, network connectivity |
| Connector Not Created | No TwingateConnector resource | Check operator logs, verify RBAC permissions |
| Connector Offline | Shows offline in Twingate Console | Check remote network ID, API token permissions |
| High Resource Usage | Pod using excessive CPU/memory | Adjust resource limits, check for memory leaks |
| Image Pull Errors | Can't pull operator image | Check network connectivity, image registry access |
Documentation Resources:
Community Support:
🎉 Success! You now have a production-ready, reusable Helm chart for deploying Twingate Exit Networks to any Kubernetes cluster.