Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/bryopsida/wireguard-chart

A helm chart for wireguard
https://github.com/bryopsida/wireguard-chart

helm k8s kubernetes vpn wireguard

Last synced: 10 days ago
JSON representation

A helm chart for wireguard

Host: GitHub
URL: https://github.com/bryopsida/wireguard-chart
Owner: bryopsida
Created: 2021-10-12T01:40:57.000Z (about 3 years ago)
Default Branch: main
Last Pushed: 2024-09-08T11:56:40.000Z (about 2 months ago)
Last Synced: 2024-10-10T23:10:59.136Z (27 days ago)
Topics: helm, k8s, kubernetes, vpn, wireguard
Language: Smarty
Homepage:
Size: 619 KB
Stars: 35
Watchers: 1
Forks: 24
Open Issues: 9
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# Wireguard Chart
A simple chart that can be used to run wireguard inside of a Kubernetes cluster.

## Add the helm repo
To add this helm repo, run `helm repo add wireguard https://bryopsida.github.io/wireguard-chart` followed by a `helm repo update` to fetch the contents.

## Deploy
To deploy with defaults and use the automatically generated private key you can use `helm upgrade --install wg-vpn-1 wireguard/wireguard --namespace `.
This will create a load balancer service exposing UDP port `51820`, to run multiple wireguard releases you will need to change the service port to avoid collisions,
you can find the helm values documentation [here](helm/wireguard/README.md). By default no client configurations are added. The default CIDR for the VPN network is `10.34.0.1/24`

## Maintain client configurations
Follow the wireguard [documentation](https://www.wireguard.com/quickstart/) for generating keys and determining client IPs. Clients can be set by providing the following yaml override values.

``` yaml
wireguard:
clients:
- PublicKey:
AllowedIPs: 10.34.0.2/32
```

And feeding it into helm `helm upgrade --install wg-vpn-1 wireguard/wireguard --namespace -f `

## Example Tunnel Configuration(s)
### Route all traffic and use kube-dns

If you want to route all traffic through WireGuard and use the cluster dns to allow service discovery, you can use the following tunnel configuration.

Release values

``` yaml
service:
port: 51225
wireguard:
allowWan: false
clients:
- AllowedIPs: 172.32.32.3/32
PresharedKey:
PublicKey:
- AllowedIPs: 172.32.32.2/32
PresharedKey:
PublicKey:
serverAddress: 172.32.32.1/24
serverCidr: 172.32.32.0/24
```

Where kube-dns service ip address is `10.43.0.10`.

``` ini
[Interface]
PrivateKey =
Address = 172.32.32.2/32
DNS = 10.43.0.10

[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 0.0.0.0/0
Endpoint = : of wireguard endpoint
```

How you can test it works:

1) Pick a internal K8S service. I'm going to use a couchdb service as an example.
2) Dig it as shown below
3) You should see that the kube-dns server answers it and you should be able to resolve A records

``` shell
dig couchdb-couchdb.couchdb.svc.cluster.local

; <<>> DiG 9.10.6 <<>> couchdb-couchdb.couchdb.svc.cluster.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65023
;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;couchdb-couchdb.couchdb.svc.cluster.local. IN A

;; ANSWER SECTION:
couchdb-couchdb.couchdb.svc.cluster.local. 5 IN A
couchdb-couchdb.couchdb.svc.cluster.local. 5 IN A
couchdb-couchdb.couchdb.svc.cluster.local. 5 IN A
couchdb-couchdb.couchdb.svc.cluster.local. 5 IN A
couchdb-couchdb.couchdb.svc.cluster.local. 5 IN A
couchdb-couchdb.couchdb.svc.cluster.local. 5 IN A

;; Query time: 51 msec
;; SERVER: 10.43.0.10#53(10.43.0.10)
;; WHEN: Sun Apr 02 15:04:51 CDT 2023
;; MSG SIZE rcvd: 41
```

If you are using something like cilium and have access to hubble you can verify the network flows there as well.

## Prometheus Metrics

```yaml
metrics:
enabled: true
```

- Adds another container with [prometheus_wireguard_exporter](https://github.com/MindFlavor/prometheus_wireguard_exporter)
- Installs a Prometheus ServiceMonitor to scrape metrics from the wireguard server
- Deploys a Grafana dashboard:
![Grafana Dashboard](dashboard-screenshot.png)