Skip to content
Wireguard operator
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
.idea Refactored internal codebase (#4) Mar 28, 2019
build Added operator sdk boilerplate Mar 8, 2019
cmd/manager Updated CRD definition, breaking change (#6) Mar 29, 2019
deploy reduced needed permissions in the deployment role May 7, 2019
pkg updated dependencies Apr 16, 2019
version Added initial config generation for clients Mar 8, 2019
.gitignore Added CI setup (#3) Mar 27, 2019
.pre-commit-config.yaml Added precommit hooks and badges on Mar 28, 2019
Gopkg.lock updated wg-quick-go dep (( PersistentKeepalive serialization issue )) Apr 18, 2019
Gopkg.toml Refactored internal codebase (#4) Mar 28, 2019 Added wg-operator role May 7, 2019

Build Status GoDoc Go Report Card


This project aim to dynamically reconfigure wireguard on the fly for the cluster nodes.


See /deploy folder. Apply CRDs, that is under /deploy/crds. Example servers/clients are under /deploy/servers and /deploy/clients. Recommended deployment is also provided under /deploy


  • Basic client-server VPN paradigm
  • Implement IPtables masqerading for out of VPN IPs --> use preUp/postDown for now, and wg-quick or wg-quick-go to run them at system boot.
  • Highly scalable for clients (i.e. supporting 1000+ clients with minimal resource usage on client side). For mostly static topologies this should be quite performant.
    • update coalescing --> implemented via 200ms coalescing time window
    • error exponential backoff --> Not implemented, on error we retry every 5 seconds
    • client query only myself --> partially implemeted, informer cache is fetching all client changes, but update is triggered only for myself
  • Implement per server interface for clients -- allows custom routing to operate on top of wireguard (e.g. OSPF/BGP)
  • Medium dynamic network topology changes, wireguard setting & nodes won't change too often
  • Unit test coverage + CI for config generation
  • End2end test within CI
  • Support key rotation
  • Have decent usage documentation


Docker images registy, automatically built via CI pipeline

It's located at:

Per tag images:




Per branch images:



Bare metal deployment

There's ansible role in the deploy/role with example playbook in deploy/playbook.yml

You can’t perform that action at this time.