-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question] VPN between BurmillaOS nodes #96
Comments
On theory OpenVPN should works as system-service and to be able to provide VPN connection for those but there is no ready made solution for it. If you don't need overlay network between those nodes then Portainer + their Edge Agent might be easier option https://www.portainer.io/blog/using-the-portainer-edge-agent-edge-groups-and-edge-stacks-part-1 |
I've used ZeroTier for this purpose with great success, here's how I plumbed it on my system (ymmv of course) Put the following files in the zerotier-containerized directory: Dockerfile:
main.sh:
Then in that directory, run And then kick it off with the following command:
Update: For those unfamiliar with ZeroTier, you'll need to login to my.zerotier.com and create a network before you can make use of it. Once your network is there, run
You will have to approve the initial connection in the ZeroTier console. Then, to confirm everything is online:
|
@tredger included WireGuardto kernel which 2.0.0-beta5 will use. However to using it with swarm is a bit tricky because of MTU challenges described on moby/libnetwork#2661 If moby/moby#43197 gets merged and backported to 22.06.x releases it will simplify it. On top of that I'm thinking that should we support it on other ways? Or at least have documentation about it? |
Could you use Tailscale? https://hub.docker.com/r/tailscale/tailscale It would be nice to see this running as an OS service, maybe with some Its possible to host your own instance using https://github.com/juanfont/headscale so you aren't necessarily relying on a proprietary service |
FYI, moby/moby#43197 is now included to v2.0.0-beta7
Very interesting option. It looks to be working fine as long I see. Here is example service config: tailscale:
image: ollijanatuinen/tailscale:v1.46.1
environment:
TS_ACCEPT_DNS: true
TS_AUTHKEY: <AUTH KEY>
TS_HOSTNAME: n1
TS_USERSPACE: false
TS_STATE_DIR: /var/lib/tailscale/state
TS_SOCKET: /var/run/tailscale/tailscaled.sock
TS_EXTRA_ARGS: --accept-routes --advertise-routes 192.168.101.0/24
labels:
io.rancher.os.scope: system
io.rancher.os.before: docker
net: host
pid: host
ipc: host
uts: host
privileged: true
restart: always
volumes_from:
- system-volumes
volumes:
- /var/lib/tailscale:/var/lib/tailscale
- /dev/net/tun:/dev/net/tun and it can be deployed with commands (remember update auth key first): ros service enable /var/lib/rancher/conf/tailscale.yml
ros service up tailscale
It works already with config above. After there is more test results from others we can consider to include it as part of OS services too. Basically there just need to be parameters for |
Wireguard would be nice... |
Hi,
I have a setup with 3 BurmillaOS servers. One have a static and public ip address and two apu systems are running behind a adsl router with a dynamic public ip address.
I try to build a docker swarm network between all three nodes and I think I need bidirectional network connections. That won't work with two nodes behind a nat...
How could a create tunneled (vpn) connections as easy as possible between all the nodes? Or is there a way without vpn to enable routed traffic between all nodes?
Is there a openvpn / wireguard system-service available? Important point. I need to establish the connection like client -> server because of the dynamic ip address in front of two of my nodes...
The text was updated successfully, but these errors were encountered: