Help needed: Running WireGuard pod on hostNetwork without breaking cluster DNS or API access

[Feelfeel20088]

Hi everyone,

I'm working on deploying a WireGuard pod on my Kubernetes cluster using hostNetwork: true to allow VPN clients to access the host network directly. However, in my previous attempt, enabling host networking for the WireGuard pod caused major cluster instability. Specifically, the cluster DNS stopped working and I lost access to the Kubernetes API server on all nodes.

I had to fully reset each node and reinstall the cluster because I couldn't troubleshoot the root cause. I suspect this has something to do with port conflicts, network routing, or how WireGuard interfaces interact with kube-proxy and coreDNS.

I'm seeking assistance with configuring the values.yaml to ensure my cluster remains stable and doesn’t break again.

Any guidance on the correct settings to prevent network or DNS issues when deploying would be greatly appreciated.

[bryopsida]

What CIDR are your hosts/nodes using, what's the cluster configured pod cidr, and what cidr did you use for wireguard? You'll want to avoid any cidr collisions across these.

Did you use the default post up and and post down hooks which look like this?

PostUp = wg set wg0 private-key /etc/wireguard/privatekey && iptables -t nat -A POSTROUTING {{ $natSourceNetOption }} -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -s {{ $natSourceNetOption }} -o eth0 -j MASQUERADE

And do you have a eth0 interface in the host network space?