Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

how to run wg-easy in kubernetes? #3

Closed
smshr opened this issue May 23, 2021 · 2 comments
Closed

how to run wg-easy in kubernetes? #3

smshr opened this issue May 23, 2021 · 2 comments
Labels
question Further information is requested

Comments

@smshr
Copy link

smshr commented May 23, 2021

I tried it running in the kubernetes (k3s) cluster. I get the following error:
error: error validating "wireguard": error validating data: ValidationError(Deployment.spec.template.spec.containers[0].securityContext): unknown field "sysctls" in io.k8s.api.core.v1.SecurityContext; if you choose to ignore these errors, turn validation off with --validate=false

my deployment.yml looks like this:

kind: Deployment
apiVersion: apps/v1
metadata:
  name: wireguard
spec:
  replicas: 1
  selector:
    matchLabels:
      app: wireguard
  template:
    metadata:
      labels:
        app: wireguard
    spec:
      containers:
      - name: wireguard
        image: weejewel/wg-easy
        ports:
        - name: wireguard
          containerPort: 51820
          protocol: UDP
        - name: web
          containerPort: 51821
          protocol: TCP
        env:
        - name: TZ
          value: America/New_York
        - name: WG_HOST
          value: vpn.example.com
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
            - SYS_MODULE
          sysctls:
          - name: net.ipv4.conf.all.src_valid_mark
            value: "1"

from my host machine (debain):

root@nas:~# cat /etc/sysctl.conf| grep net.ipv4.ip_forward
net.ipv4.ip_forward=1
root@nas:~# sysctl -a | grep net.ipv4.conf.all.src_valid_mark
net.ipv4.conf.all.src_valid_mark = 0
root@nas:~# cat /etc/debian_version
10.9
  1. Could it be because my host machine shows net.ipv4.conf.all.src_valid_mark as "0". If yes, how to turn this to "1"?
  2. Or do I need to allow unsafe sysctls in kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
@smshr smshr mentioned this issue May 24, 2021
Closed
@WeeJeWel WeeJeWel added the question Further information is requested label May 25, 2021
@ikaruswill
Copy link

ikaruswill commented May 26, 2021
edited
Loading

Based on what I understand. Sysctls are still in beta in versions prior to 1.21 so you might have needed to enable the feature via a feature flag when running k3s agent.

However it seems like there's no impact in excluding this sysctl. I'm currently running wg-easy on k3s 1.18, works just fine, though client speed statistics are off likely due to the missing sysctl, not a deal breaker imo.

@smshr
Copy link
Author

smshr commented Jul 5, 2021

I managed to run wg-easy in kubernetes:

  1. Multiple tutorials mentioned that for wireguard to work in docker or kubernetes, host kernal should have wireguard module present, so I installed wireguard in the host machine. This may be overkill or not required and there may be leaner way around. If you know about it please let me know.
  2. You will need to enable experimental feature MixedProtocolLBService in your kubernetes installation. My kubernetes cluster is k3s (not k8s), you can enable this feature in k3s by installing it like this:
    curl -sfL https://get.k3s.io | sh -s - --kube-apiserver-arg feature-gates=MixedProtocolLBService=true

Below is how my deployment looks like, please note that in this example I use traefik as reverse-proxy and authelia as traefik-middleware for UI authentication. Traefik and authelia configuration are beyond the scope of this post.

kind: Deployment
apiVersion: apps/v1
metadata:
  name: wireguard
spec:
  replicas: 1
  selector:
    matchLabels:
      app: wireguard
  template:
    metadata:
      labels:
        app: wireguard
    spec:
      containers:
      - name: wireguard
        image: weejewel/wg-easy
        env:
        - name: WG_HOST
          value: vpn.example.com
        - name: WG_DEFAULT_ADDRESS
          value: 10.0.0.x
        - name: WG_DEFAULT_DNS
          value: "1.1.1.1"
        securityContext:	# I am not sure if following is required, I haven't tried it without
          privileged: true
          capabilities:
            add:
            - NET_ADMIN
            - SYS_MODULE
        volumeMounts:
        - name: wireguard-volume	# stores wg-easy configuration 
          mountPath: /etc/wireguard
        - name: lib-volume
          mountPath: /lib/modules	# makes available wireguard module to pod, this may not be required
      volumes:
      - name: wireguard-volume
        hostPath:
          path: /mnt/k3s/wireguard
      - name: lib-volume
        hostPath:
          path: /lib/modules

---
apiVersion: v1
kind: Service
metadata:
  name: wireguard-service
  labels:
    app: wireguard
spec:
  ports:
  - name: wireguard
    targetPort: 51820
    port: 51820
    protocol: UDP
  - name: web
    targetPort: 80
    port: 80
  selector:
    app: wireguard

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
  name: wireguard-route
spec:
  entryPoints:
  - vpn
  routes:
  - services:
    - name: wireguard-service
      port: 51820

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: wireguard-ui-route
spec:
  entryPoints:
  - websecure
  routes:
  - match: Host(`vpn.example.com`)
    kind: Rule
    services:
    - name: wireguard-service
      port: 80
    middlewares:
    - name: authelia-middleware
      namespace: admin
  tls:
    certResolver: letsencrypt

Following are from my host machine:

root@nas:~# cat /etc/sysctl.conf| grep net.ipv4.ip_forward
#net.ipv4.ip_forward=1
root@nas:~# sysctl -a | grep net.ipv4.conf.all.src_valid_mark
net.ipv4.conf.all.src_valid_mark = 0
root@nas:~# cat /etc/debian_version
11.0

@smshr smshr closed this as completed Jul 5, 2021
@smshr smshr mentioned this issue Jul 5, 2021
Closed
rahilarious pushed a commit to rahilarious/wg-easy that referenced this issue Jun 3, 2023
@peterlewis
Merge pull request wg-easy#3 from andinoriel/feature-small-screen-fixes
b0ff2fd 
Feature small screen fixes
oplexz pushed a commit to oplexz/wg-easy that referenced this issue Jan 11, 2024
@comassky
Merge pull request wg-easy#3 from WeeJeWel/master
4217f33 
Update from origin
oplexz pushed a commit to oplexz/wg-easy that referenced this issue Jan 11, 2024
@peterlewis
Merge pull request wg-easy#3 from andinoriel/feature-small-screen-fixes
15f7ba1 
Feature small screen fixes
pheiduck pushed a commit that referenced this issue Jan 18, 2024
@cany748
Merge pull request #3 from clem3109/patch-1
11e3b1b 
Here is french !
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@WeeJeWel @smshr @ikaruswill