Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Causing issues for wireguard VPN (iptables) #1541

Closed
VictorNine opened this issue Sep 4, 2020 · 4 comments
Closed

Causing issues for wireguard VPN (iptables) #1541

VictorNine opened this issue Sep 4, 2020 · 4 comments
Labels

Comments

@VictorNine
Copy link

VictorNine commented Sep 4, 2020

I'm running microk8s channel=1.19 on ubuntu 18.04. I have a wireguard connection to my master node witch works perfectly as long as microk8s is not running. As soon as it's started the wireguard connection stops working. This issue seems to be in iptables:

DROP all -- anywhere anywhere /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000

Any idea how to resolve this problem?
Removing the FwMark from the wireguard config works but still a strange issue

Similar problem with more info #688

@balchua
Copy link
Collaborator

balchua commented Sep 4, 2020

I don't think this is a. MicroK8s issue. But someone seems to have a solution to this.

https://discuss.kubernetes.io/t/kubernetes-wireguard-flannel-overlay-network-on-vms-blocked-by-kubefirewall/4602

Can you try this one?

@stale
Copy link

stale bot commented Aug 1, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the inactive label Aug 1, 2021
@stale stale bot closed this as completed Aug 31, 2021
@daniel-widrick
Copy link

daniel-widrick commented Aug 30, 2022

DROP all -- anywhere anywhere /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000

Why does microk8s need this rule in place? Dropping marked packets seems like the nuclear approach...

@neoaggelos
Copy link
Member

neoaggelos commented Oct 4, 2022

Just adding a quick note that any of these rules are not specific to MicroK8s, but rather come from the upstream Kubernetes components. MicroK8s cannot, should not and will not remove this rule, since it could break Kubernetes in unexpected ways.

If running MicroK8s on a host with wireguard VPN, you need to make sure that there are no conflicts between the iptables rules that Kubernetes and wireguard VPN need.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants