-
Notifications
You must be signed in to change notification settings - Fork 116
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Help, vpn peer usage in nat environment. #13
Comments
|
this time in my home debian9, it works: (ip: 10.5.0.2/16)
|
With some items left:
|
@huapox that's great progress! Regarding the bullet points:
I need to take a closer look, I will get back to you
This is because the home vpn peer doesn't specify an external IP address for the WireGuard endpoint. This means that the peer must first try to connect the k8s cluster so that the cluster can record the public IP. Once the peer has pinged the cluster, the cluster can ping the peer.
This is because of some extra magic that wg-quick does for you. Take a look at https://github.com/WireGuard/WireGuard/blob/HEAD/src/tools/wg-quick/linux.bash#L161-L173 for details.
Luckily there is an easy workaround rather than running kube-proxy on the peer! You are on the right track. We need to pick one of the cluster nodes to be the gateway to the service CIDR. Then, we add the service CIDR as one of the allowed IPs for that node in the home vpn peer.ini. Once we add the route for the service CIDR (or let wg-quick do it for us), we can connect to any service IP. |
Great!
|
update:
|
update 2: (test dns)
|
@huapox, great work! You bring up a great point about making kubernetes services discoverable to vpn peers via dns. I will add this setup to the vpn docs! |
I've follow README.MD, docs/vpn.md for the following settings.
The text was updated successfully, but these errors were encountered: