commit 5f0425a882bad49c91ee22f04afc4ac896fff8fb Author: Swordsteel Date: Mon Aug 25 19:20:19 2025 +0200 test diff --git a/.gitea/workflows/release.yaml b/.gitea/workflows/release.yaml new file mode 100644 index 0000000..0dced27 --- /dev/null +++ b/.gitea/workflows/release.yaml @@ -0,0 +1,11 @@ +name: Publish Helm Chart + +on: + workflow_dispatch: + +jobs: + call-helm-ci: + uses: helm/common-workflows/.gitea/workflows/release.yaml@master + secrets: + CI_BOT_USERNAME: ${{ secrets.CI_BOT_USERNAME }} + CI_BOT_TOKEN: ${{ secrets.CI_BOT_TOKEN }} diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..62c8935 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.idea/ \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..3415695 --- /dev/null +++ b/README.md @@ -0,0 +1,153 @@ +# Check if traffic hits the pod + +```shell +kubectl -n wg-easy exec -it wg-easy-wg-easy-0 -- wg show +``` + +```shell +microk8s kubectl -n wg-easy exec -it wg-easy-wg-easy-0 -- iptables -t nat -L -n -v | grep 10.8 +``` + +sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens192 -j MASQUERADE + + +#net.ipv4.ip_forward=1 + + sudo nano /var/snap/microk8s/current/args/kubelet + + --allowed-unsafe-sysctls=net.ipv4.ip_forward + + + +```shell +helm install wg-easy ./ --namespace wg-easy --create-namespace +``` + +```shell +kubectl delete ns wg-easy +``` + +```shell +kubectl -n wg-easy exec -it pod/wg-easy-wg-easy-0 -- ip add +``` + +```shell + kubectl -n wg-easy exec -it pod/wg-easy-wg-easy-6bcdd9fcb4-7xt94 -- iptables -t nat -L -n -v +``` + +```shell +kubectl -n wg-easy exec -it pod/wg-easy-wg-easy-6bcdd9fcb4-7xt94 -- sysctl net.ipv4.ip_forward +``` + +```shell + kubectl -n wg-easy exec -it pod/wg-easy-wg-easy-6bcdd9fcb4-7xt94 -- sysctl net.ipv4.conf.all.src_valid_mark +``` + +```shell +kubectl -n wg-easy logs -f wg-easy-0 +``` + +```shell +kubectl -n wg-easy get pvc,pod,svc +``` + + + +# Rout traffic + +## Systemd service + +lets create a file `/etc/systemd/system/wireguard-masquerade.service` + +```shell +sudo nano /etc/systemd/system/wireguard-masquerade.service +``` + +replace `` with your network card like `eth0` + +``` +[Unit] +Description=WireGuard MASQUERADE for 10.8.0.0/24 +After=network.target + +[Service] +Type=oneshot +ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens192 -j MASQUERADE +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target +``` + +## Enable + +```shell +sudo systemctl enable wireguard-masquerade +``` + +## Start + +```shell +sudo systemctl start wireguard-masquerade +``` + +swordsteel@microk8s:~$ sudo systemctl enable wg-masquerade +Failed to enable unit: File wg-masquerade.service: Bad message + + + +--- + +# WireGuard + + + +```shell +helm install wg-easy ./helm --namespace wireguard --create-namespace +``` + +```shell +helm -n wireguard upgrade wg-easy .\helm\ +``` + +```shell +kubectl -n wireguard get pvc,pod,svc +``` + +```shell +kubectl -n wireguard logs -f wg-easy-0 +``` + +```shell +kubectl delete ns wireguard +``` + +```shell +kubectl get ns +``` + +```shell +kubectl -n wireguard describe pod wg-easy-wg-easy-0 +``` + + + + + + + + + + + + + + + + + + + + + + diff --git a/helm/.helmignore b/helm/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/helm/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm/Chart.yaml b/helm/Chart.yaml new file mode 100644 index 0000000..4364ac3 --- /dev/null +++ b/helm/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: wg-easy +description: Helm chart for wg-easy with MetalLB and StatefulSet +type: application +version: 0.1.0 +appVersion: "15.1.0" \ No newline at end of file diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl new file mode 100644 index 0000000..00bf256 --- /dev/null +++ b/helm/templates/_helpers.tpl @@ -0,0 +1,18 @@ +{{- define "wg-easy.name" -}} +wg-easy +{{- end }} + +{{- define "wg-easy.fullname" -}} +{{ printf "%s-%s" .Release.Name (include "wg-easy.name" .) | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{- define "wg-easy.labels" -}} +app.kubernetes.io/name: {{ include "wg-easy.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/version: {{ .Chart.AppVersion }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{- define "wg-easy.selectorLabels" -}} +app: {{ include "wg-easy.name" . }} +{{- end }} \ No newline at end of file diff --git a/helm/templates/persistentvolumeclaim.yaml b/helm/templates/persistentvolumeclaim.yaml new file mode 100644 index 0000000..47a9295 --- /dev/null +++ b/helm/templates/persistentvolumeclaim.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "wg-easy.name" . }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.persistence.size }} + {{- if and .Values.persistence.storageClass (ne .Values.persistence.storageClass "") }} + storageClassName: {{ .Values.persistence.storageClass | quote }} + {{- end }} diff --git a/helm/templates/service.yaml b/helm/templates/service.yaml new file mode 100644 index 0000000..62caf2b --- /dev/null +++ b/helm/templates/service.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "wg-easy.name" . }} +spec: + type: {{ .Values.service.type }} + {{- if and .Values.service.loadBalancerIP (ne .Values.service.loadBalancerIP "") }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + ports: + - name: http + port: {{ .Values.service.httpPort }} + targetPort: 51821 + protocol: TCP + - name: wireguard + port: {{ .Values.service.wgPort }} + targetPort: {{ .Values.service.wgPort }} + protocol: UDP + selector: + app: {{ include "wg-easy.name" . }} diff --git a/helm/templates/statefulset.yaml b/helm/templates/statefulset.yaml new file mode 100644 index 0000000..592e8a6 --- /dev/null +++ b/helm/templates/statefulset.yaml @@ -0,0 +1,44 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "wg-easy.name" . }} + labels: + app: {{ include "wg-easy.name" . }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ include "wg-easy.name" . }} + template: + metadata: + labels: + app: {{ include "wg-easy.name" . }} + spec: + securityContext: + sysctls: + - name: net.ipv4.ip_forward + value: "1" + containers: + - name: wg-easy + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 51821 + protocol: TCP + - name: wireguard + containerPort: {{ .Values.service.wgPort }} + protocol: UDP + env: + - name: INSECURE + value: {{ .Values.env.INSECURE | quote }} + securityContext: + capabilities: + add: ["NET_ADMIN", "SYS_MODULE"] + volumeMounts: + - name: wg-easy-data + mountPath: /etc/wireguard + volumes: + - name: wg-easy-data + persistentVolumeClaim: + claimName: {{ include "wg-easy.name" . }} diff --git a/helm/values.yaml b/helm/values.yaml new file mode 100644 index 0000000..845f0a5 --- /dev/null +++ b/helm/values.yaml @@ -0,0 +1,22 @@ +replicaCount: 1 + +image: + repository: ghcr.io/wg-easy/wg-easy + tag: "15.1" + pullPolicy: IfNotPresent + +service: + type: LoadBalancer + httpPort: 80 + wgPort: 51820 + loadBalancerIP: "10.0.3.15" # Set to a MetalLB-assigned IP, e.g. 192.168.1.240 + +persistence: + enabled: true + size: 1Gi +# storageClass: "" + +env: + INSECURE: true + +