FEATURE: improve documentation for VPN-only use case #30
Conversation
|
I've been having some success getting a vpn only set up to work using these instructions, so thank you for putting this together. 👍 One issue I have is that since the kilo pod is set to only run on a single node, while I can access the entire cluster from my vpn client, I can only access my client ip from pods deployed on the same node as kilo. That makes perfect sense, as there is no routing for that on the other nodes, but that is not clear in the instructions. Presumably it would work if the pods ran on all nodes, but some adjustment would need to be made to the wireguard config as there would be duplicate allowed ip ranges. It may be related, but at the first try, I couldn't get the service to work with the example here either. |
There should not be any overlap in the allowed IP ranges, Kilo takes care of that. The correct way to do this is to run Kilo on every node, as is the default. To simplify this for the VPN-only use case, only one node needs a public IP and that will be the gateway to the cluster. You can generate the configuration for your laptop using This is the regular and recommended way to run Kilo, as documented in the VPN doc. Please update with your progress and if you need any help :) |
I suspected that was the case, I was referring the vpn only manifest in this pull request that suggests a single node to run the kilo pod. I haven't yet managed to build kgctl, as my main machine is macos, and don't yet have golang on my linux box. |
|
👍 sounds like another good reason to resolve #3 :) |
|
Closing this for now. Running Kilo on only a single node will not give other nodes the necessary routes to communicate back with peers. To use Kilo only as a VPN server for the cluster, it should be installed as it normally is. Maybe we can extend the VPN doc to make a note that Kilo can be installed on a regular, non-multi-cloud cluster to bring these extra features? |
... feel free to adjust as wished :)
Resolves: #28