WireGuard with UI
K8s and unsafe option
Config file on k8s host
sudo nano /var/snap/microk8s/current/args/kubelet
add ipv4 and ipv6 to be added to the end of the kubelet file.
--allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding
Changing IP
these are recommended, as we use 8.0.0.0/8 for other things...
IPv4 172.16.0.0/24
IPv6 fdb0::/112
info: changing ip's, a restart of the pod is needed... for iptables and nat to change to new ip.
Rout traffic
Here is two ways of making the k8s server handle routing of traffic
persistent iptables
sudo apt install iptables-persistent
- replace
<interface>with your network card likeeth0. - replace
<host-ipv4>with ip like10.8.0.0/24. - replace
<host-ipv6>with ip likefdcc:ad94:bacf:61a4::cafe:0/112.
sudo iptables -t nat -A POSTROUTING -s <host-ipv4> -o <interface> -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s <host-ipv6> -o <interface> -j MASQUERADE
sudo netfilter-persistent save
Systemd service
create this file /etc/systemd/system/wireguard-masquerade.service
sudo nano /etc/systemd/system/wireguard-masquerade.service
Changes
- replace
<interface>with your network card likeeth0. - replace
<host-ipv4>with ip like10.8.0.0/24. - replace
<host-ipv6>with ip likefdcc:ad94:bacf:61a4::cafe:0/112.
[Unit]
Description=WireGuard MASQUERADE for <host-ipv4> and <host-ipv6>
After=network.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s <host-ipv4> -o <interface> -j MASQUERADE
ExecStart=/sbin/ip6tables -t nat -A POSTROUTING -s <host-ipv6> -o <interface> -j MASQUERADE
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
Enable
sudo systemctl enable wireguard-masquerade
Start
sudo systemctl start wireguard-masquerade
check system
check IPv4 packet forwarding status.
kubectl -n wireguard exec -it pod/wg-easy-0 -- sysctl net.ipv4.ip_forward
check IPv6 packet forwarding status.
kubectl -n wireguard exec -it pod/wg-easy-0 -- sysctl net.ipv6.conf.all.forwarding