commit e7aecce9d0217d9cc20ed2b53f770378888bf50f Author: Swordsteel Date: Mon Aug 25 19:20:19 2025 +0200 test diff --git a/.gitea/workflows/release.yaml b/.gitea/workflows/release.yaml new file mode 100644 index 0000000..0dced27 --- /dev/null +++ b/.gitea/workflows/release.yaml @@ -0,0 +1,11 @@ +name: Publish Helm Chart + +on: + workflow_dispatch: + +jobs: + call-helm-ci: + uses: helm/common-workflows/.gitea/workflows/release.yaml@master + secrets: + CI_BOT_USERNAME: ${{ secrets.CI_BOT_USERNAME }} + CI_BOT_TOKEN: ${{ secrets.CI_BOT_TOKEN }} diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..62c8935 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.idea/ \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..fb1dee9 --- /dev/null +++ b/README.md @@ -0,0 +1,102 @@ +# WireGuard with UI + +## K8s and unsafe option + +Config file on k8s host + +```shell +sudo nano /var/snap/microk8s/current/args/kubelet +``` + +add `ipv4` and `ipv6` to be added to the end of the `kubelet` file. + +> --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding + +## Changing IP + +these are recommended, as we use 8.0.0.0/8 for other things... + +``` +IPv4 172.16.0.0/24 +IPv6 fdb0::/112 +``` + +> info: changing ip's, a restart of the pod is needed... for iptables and nat to change to new ip. + +## Rout traffic + +Here is two ways of making the k8s server handle routing of traffic + +### persistent iptables + +```shell +sudo apt install iptables-persistent +``` + +- replace `` with your network card like `eth0`. +- replace `` with ip like `10.8.0.0/24`. +- replace `` with ip like `fdcc:ad94:bacf:61a4::cafe:0/112`. + +```shell +sudo iptables -t nat -A POSTROUTING -s -o -j MASQUERADE +sudo iptables -t nat -A POSTROUTING -s -o -j MASQUERADE +``` + +```shell +sudo netfilter-persistent save +``` + +### Systemd service + +create this file `/etc/systemd/system/wireguard-masquerade.service` + +```shell +sudo nano /etc/systemd/system/wireguard-masquerade.service +``` + +Changes + +- replace `` with your network card like `eth0`. +- replace `` with ip like `10.8.0.0/24`. +- replace `` with ip like `fdcc:ad94:bacf:61a4::cafe:0/112`. + +``` +[Unit] +Description=WireGuard MASQUERADE for and +After=network.target + +[Service] +Type=oneshot +ExecStart=/sbin/iptables -t nat -A POSTROUTING -s -o -j MASQUERADE +ExecStart=/sbin/ip6tables -t nat -A POSTROUTING -s -o -j MASQUERADE +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target +``` + +#### Enable + +```shell +sudo systemctl enable wireguard-masquerade +``` + +#### Start + +```shell +sudo systemctl start wireguard-masquerade +``` + +## check system + +check IPv4 packet forwarding status. + +```shell +kubectl -n wireguard exec -it pod/wg-easy-0 -- sysctl net.ipv4.ip_forward +``` + +check IPv6 packet forwarding status. + +```shell +kubectl -n wireguard exec -it pod/wg-easy-0 -- sysctl net.ipv6.conf.all.forwarding +``` diff --git a/helm/.helmignore b/helm/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/helm/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm/Chart.yaml b/helm/Chart.yaml new file mode 100644 index 0000000..4364ac3 --- /dev/null +++ b/helm/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: wg-easy +description: Helm chart for wg-easy with MetalLB and StatefulSet +type: application +version: 0.1.0 +appVersion: "15.1.0" \ No newline at end of file diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl new file mode 100644 index 0000000..00bf256 --- /dev/null +++ b/helm/templates/_helpers.tpl @@ -0,0 +1,18 @@ +{{- define "wg-easy.name" -}} +wg-easy +{{- end }} + +{{- define "wg-easy.fullname" -}} +{{ printf "%s-%s" .Release.Name (include "wg-easy.name" .) | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{- define "wg-easy.labels" -}} +app.kubernetes.io/name: {{ include "wg-easy.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/version: {{ .Chart.AppVersion }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{- define "wg-easy.selectorLabels" -}} +app: {{ include "wg-easy.name" . }} +{{- end }} \ No newline at end of file diff --git a/helm/templates/configmap.yaml b/helm/templates/configmap.yaml new file mode 100644 index 0000000..988d500 --- /dev/null +++ b/helm/templates/configmap.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "wg-easy.name" . }} +data: + INSECURE: {{ .Values.env.INSECURE | default true | quote }} + diff --git a/helm/templates/persistentvolumeclaim.yaml b/helm/templates/persistentvolumeclaim.yaml new file mode 100644 index 0000000..47a9295 --- /dev/null +++ b/helm/templates/persistentvolumeclaim.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "wg-easy.name" . }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.persistence.size }} + {{- if and .Values.persistence.storageClass (ne .Values.persistence.storageClass "") }} + storageClassName: {{ .Values.persistence.storageClass | quote }} + {{- end }} diff --git a/helm/templates/service.yaml b/helm/templates/service.yaml new file mode 100644 index 0000000..c39928e --- /dev/null +++ b/helm/templates/service.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "wg-easy.name" . }} +spec: + type: {{ .Values.service.type }} + {{- if and .Values.service.loadBalancerIP (ne .Values.service.loadBalancerIP "") }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + ports: + - name: http + port: {{ .Values.service.uiPort }} + targetPort: 51821 + protocol: TCP + - name: wireguard + port: {{ .Values.service.wgPort }} + targetPort: {{ .Values.service.wgPort }} + protocol: UDP + selector: + app: {{ include "wg-easy.name" . }} diff --git a/helm/templates/statefulset.yaml b/helm/templates/statefulset.yaml new file mode 100644 index 0000000..e143fcf --- /dev/null +++ b/helm/templates/statefulset.yaml @@ -0,0 +1,50 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "wg-easy.name" . }} + labels: + app: {{ include "wg-easy.name" . }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ include "wg-easy.name" . }} + template: + metadata: + labels: + app: {{ include "wg-easy.name" . }} + spec: + securityContext: + sysctls: + {{- if .Values.sysctls.ipv4Forward }} + - name: net.ipv4.ip_forward + value: "1" + {{- end }} + {{- if .Values.sysctls.ipv6Forward }} + - name: net.ipv6.conf.all.forwarding + value: "1" + {{- end }} + containers: + - name: {{ include "wg-easy.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 51821 + protocol: TCP + - name: wireguard + containerPort: {{ .Values.service.wgPort }} + protocol: UDP + envFrom: + - configMapRef: + name: {{ include "wg-easy.name" . }} + securityContext: + capabilities: + add: ["NET_ADMIN", "SYS_MODULE"] + volumeMounts: + - name: wg-easy-data + mountPath: /etc/wireguard + volumes: + - name: wg-easy-data + persistentVolumeClaim: + claimName: {{ include "wg-easy.name" . }} diff --git a/helm/values.yaml b/helm/values.yaml new file mode 100644 index 0000000..673b8d9 --- /dev/null +++ b/helm/values.yaml @@ -0,0 +1,21 @@ +replicaCount: 1 + +image: + repository: ghcr.io/wg-easy/wg-easy + tag: "15.1.0" + pullPolicy: IfNotPresent + +persistence: + size: 1Gi + storageClass: + +service: + type: ClusterIP + uiPort: 80 + wgPort: 51820 + +sysctls: + ipv4Forward: true + ipv6Forward: false + +env: {}