Development discussion of WireGuard
 help / color / mirror / Atom feed
From: Nico Schottelius <nico.schottelius@ungleich.ch>
To: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Wireguard as a Kubernetes Service
Date: Mon, 09 Aug 2021 14:34:43 +0200	[thread overview]
Message-ID: <87sfzire3g.fsf@ungleich.ch> (raw)


Hello dear WG mailing list,

I am interested in running wireguard servers (as in endpoints) inside a
kubernetes cluster. I have two different approaches and was wondering
what makes more sense:

1) Wireguard in kernel on every participating node

Assuming that the kernel module is loaded on the host and that a k8s pod
just sets the VPN configuration, every node that hosts the wireguard
service would need to be configured.

Given that a pod is privileged, this might work with a single instance
service that is only terminated on one node. I assume the usual roaming
problems apply so that only 1 node could host that service.

One problem I see here is that the host will have fragments left, even
if the pod is moved to another node. This might be able to catch using
finalizers.

The biggest "problem" I see is that the actual node becomes the VPN
endpoint and not really the pod.

2) User space client

Is there still any Linux user space client that could be used instead?
Performance is not the most critical point of running wireguard as a
service inside k8s, but more the ease of maintenance.

I see these two options, does anyone have a better idea on how to move
the vpn endpoints into a k8s cluster?

Best regards,

Nico


--
Sustainable and modern Infrastructures by ungleich.ch

                 reply	other threads:[~2021-08-09 12:34 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87sfzire3g.fsf@ungleich.ch \
    --to=nico.schottelius@ungleich.ch \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).