wireguard-chart icon indicating copy to clipboard operation
wireguard-chart copied to clipboard

Published 20 hours ago verified publisher icon bryopsida

Question: Could pods in different namespaces than wireguard reach the peer?

Open a-d-r-i-a-n-d opened this issue 1 year ago • 2 comments

Hi @bryopsida ,

Thanks for sharing this chart with the community. I have one peer connected to the wireguard server, it's a remote device that streams serial to tcp on a custom port (6638). The peer seems to be able to reach the kubernetes network along with the node network (because I am running the service as type NodePort) and the internet, so everything looks good here. My wireguard ns:

➜ kubectl get all -n wireguard                                        
NAME                                       READY   STATUS    RESTARTS   AGE
pod/wireguard-wireguard-6bdc54bddc-mp7q4   1/1     Running   0          28m

NAME                          TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)           AGE
service/wireguard-wireguard   NodePort   10.152.183.30   <none>        51820:31820/UDP   22h

NAME                                  READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/wireguard-wireguard   1/1     1            1           23h

NAME                                             DESIRED   CURRENT   READY   AGE
replicaset.apps/wireguard-wireguard-6bdc54bddc   1         1         1       28m

I also have another namespace where I have Home Assistant (automation hub) installed and looks like this:

➜  wireguard kubectl get all -n home-assistant 
NAME                   READY   STATUS    RESTARTS   AGE
pod/home-assistant-0   1/1     Running   0          33m

NAME                                TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)     AGE
service/home-assistant-codeserver   ClusterIP   10.152.183.62    <none>        12321/TCP   11h
service/home-assistant              ClusterIP   10.152.183.200   <none>        8080/TCP    11h

NAME                              READY   AGE
statefulset.apps/home-assistant   1/1     11h

My goal is to get home-assistant-0 pod to be able to reach the wireguard peer (remote device) at tcp://10.34.0.101:6638 Any help is much appreciated.

By the way, this is what I am overwriting to your default values.yaml file:

service:
  # -- Whether the service will be created or not
  enabled: true
  # -- Service type, to keep internal to cluster use ClusterIP or NodePort
  type: NodePort
  # -- Service port, default is 51820 UDP
  port: 51820
  # -- Node port, only valid with service type: NodePort
  nodePort: 31820
replicaCount: 1
autoscaling:
  enabled: false
wireguard:
  # -- Address of the VPN server
  serverAddress: 10.34.0.1/24
  # -- Subnet for your VPN, take care not to clash with cluster POD cidr
  serverCidr: 10.34.0.0/24
  # -- Add the serverCidr to the nat source net option
  natAddSourceNet: true
  # -- A collection of clients that will be added to wg0.conf, accepts objects with keys PublicKey and AllowedIPs (mandatory) and optional FriendlyName or FriendlyJson (https://github.com/MindFlavor/prometheus_wireguard_exporter#friendly-tags), stored in secret
  clients:
    - FriendlyName: esphome_hub
      ## FriendlyJson will override FriendlyName
      # FriendlyJson:
      #   username: "username1"
      AllowedIPs: 10.34.0.101/32
      PublicKey: DnkSCcDtL13t/RP9wposObSpwx6DDvjSuwpHTbJTkBE=

a-d-r-i-a-n-d avatar Jan 17 '24 21:01 a-d-r-i-a-n-d

I haven't used this chart for cluster initiated traffic to a WG peer/client before. I think it's technically possible, but would require making the cluster pods aware that they need to route via the wireguard server to reach the WG peer ip/subnet, and WG would need to be configured with the appropriate iptable rules to forward the cluster subnet traffic to the peer.

Something that looks pretty close to doing what's needed for populating the route to the pods is: https://github.com/digitalocean/k8s-staticroute-operator

I wonder if there's perhaps a simpler option where you could have the WG peer connect to a socket server on the home assistant pod and pass in the serial stream that way since it sounds like that direction is already working.

I believe if something like this was run on the WG remote peer:

socat pty,link=/dev/ttyS0 tcp:<replace with home assistant service name>:<replace with listening socket server port>

It would forward the serial port to a remote server. That can be turned back into a serial port on the remote with something like: socat TCP-LISTEN:<matching port> PTY,link=/dev/ttyS0

Full disclosure, I'm not a socat expert, so those commands probably would need a few tweaks to get it working.

I think you can also use netcat to create a socket server that forwards to a virtual serial port: doing something like nc -l <port number> > /dev/ttyS0 < /dev/ttyS0

bryopsida avatar Jan 18 '24 01:01 bryopsida

Thank you so much for your answer. I tried k8s-staticroute-operator but for some reason the static route is being added on the node for a few seconds and then just disappear. Same behaviour is if manually add route with sudo ip route add 10.34.0.0/24 via <wireguard_pod_IP>. The disadvantage of a static route is that pods are changing IP addresses often so it's not really a good option after all.

In regards to socat, esphome has an OS called FreeRTOS and there is no such thing available.

I guess I am left with the option to create my own Home Assistant docker image and add the wireguard client. Then I would have Home Assistant as a wireguard peer so hopefully everything should work then. Fingers crossed. Once again many thanks for your input!

a-d-r-i-a-n-d avatar Jan 18 '24 23:01 a-d-r-i-a-n-d