{"id":16327292,"url":"https://github.com/bryopsida/wireguard-chart","last_synced_at":"2026-03-02T02:04:49.900Z","repository":{"id":40695151,"uuid":"416144014","full_name":"bryopsida/wireguard-chart","owner":"bryopsida","description":"A helm chart for wireguard","archived":false,"fork":false,"pushed_at":"2026-03-01T20:52:10.000Z","size":654,"stargazers_count":70,"open_issues_count":15,"forks_count":35,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-03-01T21:50:51.595Z","etag":null,"topics":["helm","k8s","kubernetes","vpn","wireguard"],"latest_commit_sha":null,"homepage":"","language":"Go Template","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bryopsida.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2021-10-12T01:40:57.000Z","updated_at":"2026-03-01T20:51:53.000Z","dependencies_parsed_at":"2023-12-13T01:26:36.008Z","dependency_job_id":"49a16527-024a-4989-a455-fc55372ff2f1","html_url":"https://github.com/bryopsida/wireguard-chart","commit_stats":null,"previous_names":[],"tags_count":32,"template":false,"template_full_name":null,"purl":"pkg:github/bryopsida/wireguard-chart","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bryopsida%2Fwireguard-chart","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bryopsida%2Fwireguard-chart/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bryopsida%2Fwireguard-chart/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bryopsida%2Fwireguard-chart/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bryopsida","download_url":"https://codeload.github.com/bryopsida/wireguard-chart/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bryopsida%2Fwireguard-chart/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29987747,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-01T22:42:38.399Z","status":"ssl_error","status_checked_at":"2026-03-01T22:41:51.863Z","response_time":124,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["helm","k8s","kubernetes","vpn","wireguard"],"created_at":"2024-10-10T23:11:00.138Z","updated_at":"2026-03-02T02:04:49.867Z","avatar_url":"https://github.com/bryopsida.png","language":"Go Template","readme":"# Wireguard Chart\nA simple chart that can be used to run wireguard inside of a Kubernetes cluster.\n\n## Add the helm repo\nTo add this helm repo, run `helm repo add wireguard https://bryopsida.github.io/wireguard-chart` followed by a `helm repo update` to fetch the contents.\n\n## Deploy\nTo deploy with defaults and use the automatically generated private key you can use `helm upgrade --install wg-vpn-1 wireguard/wireguard --namespace \u003cyour namespace\u003e`.\nThis will create a load balancer service exposing UDP port `51820`, to run multiple wireguard releases you will need to change the service port to avoid collisions, \nyou can find the helm values documentation [here](helm/wireguard/README.md). By default no client configurations are added. The default CIDR for the VPN network is `10.34.0.1/24`\n\n## Maintain client configurations\nFollow the wireguard [documentation](https://www.wireguard.com/quickstart/) for generating keys and determining client IPs. Clients can be set by providing the following yaml override values.\n\n``` yaml\nwireguard:\n  clients:\n    - PublicKey: \u003cyour client public key here\u003e\n      AllowedIPs: 10.34.0.2/32\n```\n\nAnd feeding it into helm `helm upgrade --install wg-vpn-1 wireguard/wireguard --namespace \u003cyour namespace\u003e -f \u003cpath-to-your-overides\u003e`\n\n\n## Example Tunnel Configuration(s)\n### Route all traffic and use kube-dns\n\nIf you want to route all traffic through WireGuard and use the cluster dns to allow service discovery, you can use the following tunnel configuration.\n\nRelease values\n\n``` yaml\nservice:\n  port: 51225\nwireguard:\n  allowWan: false\n  clients:\n  - AllowedIPs: 172.32.32.3/32\n    PresharedKey: \u003credacted\u003e\n    PublicKey: \u003credacted\u003e\n  - AllowedIPs: 172.32.32.2/32\n    PresharedKey: \u003credacted\u003e\n    PublicKey: \u003credacted\u003e\n  serverAddress: 172.32.32.1/24\n  serverCidr: 172.32.32.0/24\n```\n\nWhere kube-dns service ip address is `10.43.0.10`.\n\n\n``` ini\n[Interface]\nPrivateKey = \u003credacted\u003e\nAddress = 172.32.32.2/32\nDNS = 10.43.0.10\n\n[Peer]\nPublicKey = \u003credacted\u003e\nPresharedKey = \u003credacted\u003e\nAllowedIPs = 0.0.0.0/0\nEndpoint = \u003chost\u003e:\u003cip\u003e of wireguard endpoint\n```\n\nHow you can test it works:\n\n1) Pick a internal K8S service. I'm going to use a couchdb service as an example.\n2) Dig it as shown below\n3) You should see that the kube-dns server answers it and you should be able to resolve A records\n\n``` shell\ndig couchdb-couchdb.couchdb.svc.cluster.local\n\n; \u003c\u003c\u003e\u003e DiG 9.10.6 \u003c\u003c\u003e\u003e couchdb-couchdb.couchdb.svc.cluster.local\n;; global options: +cmd\n;; Got answer:\n;; WARNING: .local is reserved for Multicast DNS\n;; You are currently testing what happens when an mDNS query is leaked to DNS\n;; -\u003e\u003eHEADER\u003c\u003c- opcode: QUERY, status: NOERROR, id: 65023\n;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1\n;; WARNING: recursion requested but not available\n\n;; OPT PSEUDOSECTION:\n; EDNS: version: 0, flags:; udp: 4096\n;; QUESTION SECTION:\n;couchdb-couchdb.couchdb.svc.cluster.local. IN A\n\n;; ANSWER SECTION:\ncouchdb-couchdb.couchdb.svc.cluster.local. 5 IN\tA \u003credacted\u003e\ncouchdb-couchdb.couchdb.svc.cluster.local. 5 IN\tA \u003credacted\u003e\ncouchdb-couchdb.couchdb.svc.cluster.local. 5 IN\tA \u003credacted\u003e\ncouchdb-couchdb.couchdb.svc.cluster.local. 5 IN\tA \u003credacted\u003e\ncouchdb-couchdb.couchdb.svc.cluster.local. 5 IN\tA \u003credacted\u003e\ncouchdb-couchdb.couchdb.svc.cluster.local. 5 IN\tA \u003credacted\u003e\n\n;; Query time: 51 msec\n;; SERVER: 10.43.0.10#53(10.43.0.10)\n;; WHEN: Sun Apr 02 15:04:51 CDT 2023\n;; MSG SIZE  rcvd: 41\n```\n\nIf you are using something like cilium and have access to hubble you can verify the network flows there as well.\n\n\n## Prometheus Metrics\n\n```yaml\nmetrics:\n  enabled: true\n```\n\n- Adds another container with [prometheus_wireguard_exporter](https://github.com/MindFlavor/prometheus_wireguard_exporter)\n- Installs a Prometheus ServiceMonitor to scrape metrics from the wireguard server\n- Deploys a Grafana dashboard:\n  ![Grafana Dashboard](dashboard-screenshot.png)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbryopsida%2Fwireguard-chart","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbryopsida%2Fwireguard-chart","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbryopsida%2Fwireguard-chart/lists"}