# WireGuard with UI ## K8s and unsafe option Config file on k8s host ```shell sudo nano /var/snap/microk8s/current/args/kubelet ``` add `ipv4` and `ipv6` to be added to the end of the `kubelet` file. > --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding ## Changing IP these are recommended, as we use 8.0.0.0/8 for other things... ``` IPv4 172.16.0.0/24 IPv6 fdb0::/112 ``` > info: changing ip's, a restart of the pod is needed... for iptables and nat to change to new ip. ## Rout traffic Here is two ways of making the k8s server handle routing of traffic ### persistent iptables ```shell sudo apt install iptables-persistent ``` - replace `` with your network card like `eth0`. - replace `` with ip like `10.8.0.0/24`. - replace `` with ip like `fdcc:ad94:bacf:61a4::cafe:0/112`. ```shell sudo iptables -t nat -A POSTROUTING -s -o -j MASQUERADE sudo iptables -t nat -A POSTROUTING -s -o -j MASQUERADE ``` ```shell sudo netfilter-persistent save ``` ### Systemd service create this file `/etc/systemd/system/wireguard-masquerade.service` ```shell sudo nano /etc/systemd/system/wireguard-masquerade.service ``` Changes - replace `` with your network card like `eth0`. - replace `` with ip like `10.8.0.0/24`. - replace `` with ip like `fdcc:ad94:bacf:61a4::cafe:0/112`. ``` [Unit] Description=WireGuard MASQUERADE for and After=network.target [Service] Type=oneshot ExecStart=/sbin/iptables -t nat -A POSTROUTING -s -o -j MASQUERADE ExecStart=/sbin/ip6tables -t nat -A POSTROUTING -s -o -j MASQUERADE RemainAfterExit=yes [Install] WantedBy=multi-user.target ``` #### Enable ```shell sudo systemctl enable wireguard-masquerade ``` #### Start ```shell sudo systemctl start wireguard-masquerade ``` ## check system check IPv4 packet forwarding status. ```shell kubectl -n wireguard exec -it pod/wg-easy-0 -- sysctl net.ipv4.ip_forward ``` check IPv6 packet forwarding status. ```shell kubectl -n wireguard exec -it pod/wg-easy-0 -- sysctl net.ipv6.conf.all.forwarding ```