gefyra icon indicating copy to clipboard operation
gefyra copied to clipboard

Published 20 hours ago verified publisher icon gefyrahq

Running `gefyra up --endpoint` on nodes without public ip address

Open tschale opened this issue 2 years ago • 7 comments

What is the new feature about?

I have a cluster whose nodes don't have a public IP address. Therefore I can't use Gefyra. It would be nice to have a solution for that, as it is not an uncommon setup and might for example even be a security requirement for some companies.

We also got following feedback, which reports the same isse:

Relying on NodePort is not yet viable for us as our nodes do not have public ip addresses. We would have to use LoadBalancer to make this work. In the future, developers might have VPN to gain access to NodePorts, but not yet. Could "port-forward" be used instead, or is that not performant enough?

Port-forward can only do TCP, so that's out of the question. What about using a load balancer for Gefyra to connect to?

Why would such a feature be important to you?

It supports the case of clusters whose nodes don't have public IPs.

Anything else we need to know?

No response

tschale avatar Nov 24 '22 16:11 tschale

hey, @tschale are there any plans to work on this? I'm facing this exact issue and am looking for a workaround other than having a public IP address on one of the nodes.

cc: @Schille @SteinRobert

nvinayvarma189 avatar Dec 20 '22 13:12 nvinayvarma189

Hey @nvinayvarma189 - thank you very much for your interest and feedback! You can find our plans about further development here.

We're currently on a feature freeze and are actively working on the Docker Desktop Extension as well as the VSCode extension. As soon as these things are out we will consider working on new features - like this one. In the meantime we will be fixing bugs - probably also improve the test setup for Gefyra. I'll add a timeline concerning the extensions and further development plans later this week, to the issue mentioned above.

Anyways - your voice is important for us - if you have any further suggestions - please comment, upvote, open new issues - it all helps us to prioritize the feature development for you - our community.

SteinRobert avatar Dec 20 '22 14:12 SteinRobert

I have created a new issue to discuss our final solution to these types of challenges: #353 If you @nvinayvarma189 or @tschale do have some thoughts about this, I would be very happy to hear them. =)

Schille avatar Feb 22 '23 09:02 Schille

@Schille Do you mean to link issue #353?

tschale avatar Feb 22 '23 10:02 tschale

Yes, thank you.

Schille avatar Feb 22 '23 10:02 Schille

Could it be an option to put a sidecar container beside the Wireguard container in the pod to provide udp2raw following this link: https://www.procustodibus.com/blog/2022/02/wireguard-over-tcp/

Then in theory we could port-forward the wireguard pod (with a udp2raw sidecar).

Then we also need to run udp2raw on our client side and point it to the port that has been forwarded.

Bengreen avatar Apr 27 '23 20:04 Bengreen

I was able to successfully port-forward the UDP port of fireguard using relay. With a little trickery (not much) I was able to get Gefyra working (AWESOME). I captured some notes here: https://github.com/gefyrahq/gefyra/issues/511

Id be happy to write this up with more details if others are interested.

Bengreen avatar Nov 28 '23 21:11 Bengreen

Endpoints can be set with Gefyra 2. There are several other issues about the UDP/TCP issue. We'll follow up on this.

SteinRobert avatar May 16 '24 13:05 SteinRobert