# WireGuard with UI

## Basic stuff

### Install

```shell
helm install wg-easy ./helm --namespace wireguard --create-namespace
```

### Update

```shell
helm -n wireguard upgrade wg-easy ./helm/
```

### Check

```shell
kubectl -n wireguard get cm,pvc,pod,svc
```

### Tail Log

```shell
kubectl -n wireguard logs -f wg-easy-0
```

### Delete

```shell
kubectl delete ns wireguard
```

## K8s and unsafe option

Config file on k8s host

```shell
sudo nano /var/snap/microk8s/current/args/kubelet
```

add `ipv4` and `ipv6` to be added to the end of the `kubelet` file.

> --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding

## Changing IP

these are recommended, as we use 8.0.0.0/8 for other things...

```
IPv4 172.16.0.0/24
IPv6 fdb0::/112
```

> info: changing ip's, a restart of the pod is needed... for iptables and nat to change to new ip.

## Problems with traffic

This are more here for help if there is problem

### Rout traffic

Here is two ways of making the k8s server handle routing of traffic

#### persistent iptables

```shell
sudo apt install iptables-persistent
```

- replace `<interface>` with your network card like `eth0`.
- replace `<host-ipv4>` with ip like `10.8.0.0/24`.
- replace `<host-ipv6>` with ip like `fdcc:ad94:bacf:61a4::cafe:0/112`.

```shell
sudo iptables -t nat -A POSTROUTING -s <host-ipv4> -o <interface> -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s <host-ipv6> -o <interface> -j MASQUERADE
```

```shell
sudo netfilter-persistent save
```

#### Systemd service

create this file `/etc/systemd/system/wireguard-masquerade.service`

```shell
sudo nano /etc/systemd/system/wireguard-masquerade.service
```

Changes

- replace `<interface>` with your network card like `eth0`.
- replace `<host-ipv4>` with ip like `10.8.0.0/24`.
- replace `<host-ipv6>` with ip like `fdcc:ad94:bacf:61a4::cafe:0/112`.

```
[Unit] 
Description=WireGuard MASQUERADE for <host-ipv4> and <host-ipv6>
After=network.target 

[Service] 
Type=oneshot 
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s <host-ipv4> -o <interface> -j MASQUERADE 
ExecStart=/sbin/ip6tables -t nat -A POSTROUTING -s <host-ipv6> -o <interface> -j MASQUERADE
RemainAfterExit=yes 

[Install] 
WantedBy=multi-user.target
```

##### Enable

```shell
sudo systemctl enable wireguard-masquerade
```

##### Start

```shell
sudo systemctl start wireguard-masquerade
```

### check things

```shell
kubectl -n wireguard exec -it pod/wg-easy-0 -- sysctl net.ipv4.ip_forward
```

```shell
kubectl -n wireguard exec -it pod/wg-easy-0 -- sysctl net.ipv6.conf.all.forwarding
```

```shell
kubectl -n wireguard exec -it wg-easy-0 -- wg show
```

```shell
microk8s kubectl -n wireguard exec -it wg-easy-0 -- iptables -t nat -L -n -v | grep 10.8
```

```shell
kubectl -n wireguard exec -it pod/wg-easy-0 -- ip add
```