Development discussion of WireGuard
 help / color / mirror / Atom feed
* Wireguard as a Kubernetes Service
@ 2021-08-09 12:34 Nico Schottelius
  0 siblings, 0 replies; only message in thread
From: Nico Schottelius @ 2021-08-09 12:34 UTC (permalink / raw)
  To: WireGuard mailing list


Hello dear WG mailing list,

I am interested in running wireguard servers (as in endpoints) inside a
kubernetes cluster. I have two different approaches and was wondering
what makes more sense:

1) Wireguard in kernel on every participating node

Assuming that the kernel module is loaded on the host and that a k8s pod
just sets the VPN configuration, every node that hosts the wireguard
service would need to be configured.

Given that a pod is privileged, this might work with a single instance
service that is only terminated on one node. I assume the usual roaming
problems apply so that only 1 node could host that service.

One problem I see here is that the host will have fragments left, even
if the pod is moved to another node. This might be able to catch using
finalizers.

The biggest "problem" I see is that the actual node becomes the VPN
endpoint and not really the pod.

2) User space client

Is there still any Linux user space client that could be used instead?
Performance is not the most critical point of running wireguard as a
service inside k8s, but more the ease of maintenance.

I see these two options, does anyone have a better idea on how to move
the vpn endpoints into a k8s cluster?

Best regards,

Nico


--
Sustainable and modern Infrastructures by ungleich.ch

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2021-08-09 12:34 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-09 12:34 Wireguard as a Kubernetes Service Nico Schottelius

Development discussion of WireGuard

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.vuxu.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://inbox.vuxu.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git