Releases: achetronic/tunnel
Releases · achetronic/tunnel
Release list
v0.5.0
Host-level performance tuning for the VPS data path.
Breaking changes
- Boot service renamed
wg-relay.servicetotunnel-boot.service, since it now reapplies the whole node config on boot, not just WireGuard. The WireGuard interface stayswg-relay.
Features
- New
spec.hostblock to tune the VPS kernel and NIC, separate from the Envoy proxy config:kernelMaxSocketBufferBytes(default 25MB): raises the kernel socket buffer ceiling and setsSO_RCVBUF/SO_SNDBUFon the UDP listeners. UDP needs this set explicitly; TCP keeps autotuning.disableNicOffloads(default false): turns GRO/GSO off on the underlay NIC for encapsulated UDP (tunnel-in-tunnel), where receive coalescing corrupts datagram boundaries. The interface is detected automatically.
enable_reuse_porton all Envoy listeners so they spread across worker threads.
Changes
- Removed
prefer_grofrom the Envoy UDP listeners; GRO is left to the OS, or turned off at the NIC viadisableNicOffloads. - NIC offloads are applied natively without
ethtoolon the VPS, the same way WireGuard and nftables are handled. - New dependency:
github.com/safchain/ethtool(Apache-2.0).
v0.4.0
Features
- Enable UDP GRO (Generic Receive Offload) on the listener downstream socket for UDP listeners via
prefer_gro: trueinudp_listener_config.
v0.3.1
Moves the operator's internal ports out of the way of your traffic.
Changed
- The uplink readiness/health endpoint moved from port 8080 to 40500, and the Envoy edge admin/metrics port moved from 9901 to 40600. Both were low ports that could clash with a port you expose through a PortBinding; the new ones sit in a high range where a collision is far less likely. These ports are reserved by the data path, so a PortBinding may not use them.
Upgrade note
The ports are hardcoded in this release. Existing EdgeNodes re-enroll cleanly and the uplink pods roll to the new readiness port on their own; no manual step beyond upgrading the chart and letting the operator reconcile.
v0.3.0
If you ran an earlier version, this one is much steadier under failure: reboots, restarts, scale-downs and bad input no longer leave things wedged.
Added
PortBindingnow reports readiness honestly.Readyonly turns true once the binding is actually live on the edge, not just queued.- New
--leader-elect-namespaceflag, so you can run the manager outside the cluster (for example withmake run). spec.uplink.namespaceis now immutable, so changing it can't strand resources behind.
Fixed: control plane
- The EdgeNode no longer reconciles itself in a loop, so it stops hammering the VPS over SSH.
- Applied bindings are recorded as soon as enrollment succeeds, so a later hiccup can't leave a binding stuck as "not applied".
- The manager skips status writes when nothing changed.
- Uplink resources owned by another EdgeNode are left alone instead of being deleted.
- Reconcile concurrency is bounded, and inputs are checked more strictly.
Fixed: data path (VPS)
- A healthy uplink no longer gets dropped by its own health check. Each check now uses a fresh connection, which fixes spurious failures that could reset live traffic.
- The generated Envoy config is now valid in all cases (proxy-protocol health checks, durations, TLS passthrough).
- The tunnel survives a VPS reboot: WireGuard comes back before Envoy starts.
- The uplink drains cleanly on shutdown, so rolling updates don't drop in-flight connections.
- A pod only reports ready once WireGuard and nftables are actually applied and the handshake is fresh.
- The first apply retries on failure instead of leaving a pod stuck not-ready.
- Stale routes are cleaned up when you scale uplinks down.
- A dead SSH connection can no longer freeze a worker.
- Same port can be used for TCP and UDP at once.
- VPS state now lives in
/etc/tunnel(renamed from/etc/tunnel-operator).
Fixed: security
- SSH host-key checking now verifies the key against the right host, not just any host in the file.
- The Envoy version is validated before it ever reaches a shell command.
- VPS binaries are called by absolute path.
- The Envoy admin address follows your tunnel network, so a custom network no longer breaks enrollment.
uplink.replicasis capped to avoid a denial-of-service through key generation.
Testing
- Rendered Envoy config is now checked against a real Envoy in CI (
make test), catching problems plain text comparisons miss.
Docs
- Refreshed the guides, the manager flags table in the README, and code comments.
Upgrade note
The VPS state directory was renamed from /etc/tunnel-operator to /etc/tunnel. There's no migration: an already-enrolled VPS simply re-enrolls itself cleanly on the next reconcile.
v0.2.0
What's new
- Edge TLS certificates now rotate without downtime. When a certificate is renewed (for example by cert-manager), the operator updates Envoy on the VPS in place, with no dropped connections and no restart. Previously a renewed certificate was copied to the VPS but Envoy kept serving the old one until it expired, which could take a TLS listener down. If you use TLS
offloadormutualmode, you no longer need to do anything on renewal.
Fixes
- PortBindings no longer leak across namespaces. If you had two EdgeNodes with the same name in different namespaces, a PortBinding could be applied to the wrong one. Bindings are now matched by both name and namespace.
- Private keys are cleaned up when you remove a TLS binding. Deleting a TLS PortBinding (or switching it away from
offload/mutual) now removes its certificate and key from the VPS, instead of leaving them on disk until the node is deleted.
Upgrade notes
- No configuration or CRD changes are required. After upgrading, EdgeNodes reconcile and move existing TLS bindings to the new mechanism automatically. Old certificate files left on the VPS by previous versions are cleaned up on the next reconcile.
v0.1.0
First release 🚀
Features
- Two CRDs:
EdgeNode(a VPS plus the tunnel) andPortBinding(the ports to expose). - Expose TCP and UDP ports, routed to a Kubernetes
Serviceor a rawIP:port. - Active-active HA: N uplink replicas, Envoy L4 load-balancing on the VPS with active health checks per replica.
- TLS at the edge:
passthrough(SNI routing),offload(terminate on the VPS),mutual(downstream mTLS). - Client source IP preserved with Proxy Protocol.
- WireGuard and nftables programmed natively by the
tunnelctlagent: nowireguard-tools,wg-quickornftCLI, distroless uplink. The operator is the single SSH writer, verifies the VPS host key, and stays out of the data path. - Multi-arch images (amd64/arm64).
- Helm chart published as an OCI artifact