ungleich-public
/
ungleich-k8s
6
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
ungleich-k8s/apps/wireguard/README.md

2.3 KiB
Raw Blame History

Wireguard test

This is a test whether wireguard-as-a-service can be provided inside k8s.

Configuration on the pod

apk update
apk add wireguard-tools tcpdump
cat > /etc/wireguard/wg0.conf <<EOF
[Interface]
ListenPort = 51820
PrivateKey = wNTbdLXXQVynFAqIqXuqbwul7O00kuqgzajeK7/NoUw=

[Peer]
PublicKey = J3qrhOP6GjRC8qOdKiKcAYMXKdiTliBBbJgNpz8sUQI=
AllowedIPs = 2a0a:e5c1:101::/48
EOF
wg-quick up wg0
ip addr add 2a0a:e5c3::42/32 dev wg0
tcpdump -ni eth0 port 51820

On the client

[Interface]
PrivateKey = YIhBmmE+D8NwSUijXv2Jw8FazNI73BEM9ApzAfJ9Zms=
ListenPort = 51820
Address = 2a0a:e5c1:101::42/48

[Peer]
PublicKey = ohMbdXf+eQQyiFFyJq+a8NMxV3pgFzjgPYcTD/T+qzs=
Endpoint = wireguard4.default.svc.c2.k8s.ooo:51820
AllowedIPs = 2a0a:e5c3::/32

Result

Working:

[12:01] nb3:~% ping -c3 2a0a:e5c3::42
PING 2a0a:e5c3::42(2a0a:e5c3::42) 56 data bytes
64 bytes from 2a0a:e5c3::42: icmp_seq=1 ttl=64 time=13.2 ms
64 bytes from 2a0a:e5c3::42: icmp_seq=2 ttl=64 time=13.3 ms
64 bytes from 2a0a:e5c3::42: icmp_seq=3 ttl=64 time=13.8 ms

--- 2a0a:e5c3::42 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 13.195/13.409/13.751/0.244 ms
[12:01] nb3:~%

On the pod:

/ # wg show
interface: wg0
  public key: ohMbdXf+eQQyiFFyJq+a8NMxV3pgFzjgPYcTD/T+qzs=
  private key: (hidden)
  listening port: 51820

peer: J3qrhOP6GjRC8qOdKiKcAYMXKdiTliBBbJgNpz8sUQI=
  endpoint: [2a0a:e5c0:13:0:225:b3ff:fe20:383c]:11017
  allowed ips: 2a0a:e5c1:101::/48
  latest handshake: 26 seconds ago
  transfer: 35.40 KiB received, 32.93 KiB sent
/ #

On the client:

interface: k8s
  public key: J3qrhOP6GjRC8qOdKiKcAYMXKdiTliBBbJgNpz8sUQI=
  private key: (hidden)
  listening port: 51820

peer: ohMbdXf+eQQyiFFyJq+a8NMxV3pgFzjgPYcTD/T+qzs=
  endpoint: [2a0a:e5c0:13:e2::ba58]:51820
  allowed ips: 2a0a:e5c3::/32
  latest handshake: 46 seconds ago
  transfer: 32.93 KiB received, 35.40 KiB sent

Missing

  • -Receiving traffic inside wg0-: works
  • -Different IPv6 address-: works
  • -IPv4 outside-: via Jool/external
  • Keeping pod alive
  • Routing / network delegation for the range
  • Configuration definition: helm chart?
  • uncloud integration:
    • git repo (?)
    • VPN server definition

Routing / delegation

  • Also via wg
  • Via external VPN