Wireguard operator

painless deployment of wireguard on kubernetes

Support and discussions

If you are facing any problems please open an issue or join our slack channel

Tested with

• [x] IBM Cloud Kubernetes Service
• [x] Google Kubernetes Engine
  • requires spec.mtu: "1380"
• [x] DigitalOcean Kubernetes
  • requires spec.serviceType: "NodePort". DigitalOcean LoadBalancer does not support UDP.
• [x] Self managed k3s on Hetzner
• [ ] Amazon EKS
• [ ] Azure Kubernetes Service
• [ ] ...?

Architecture

Features

• Uses userspace implementation of wireguard through wireguard-go
• Automatic key generation
• Automatic IP allocation
• Does not need persistance. peer/server keys are stored as k8s secrets and loaded into the wireguard pod
• Exposes a metrics endpoint by utilizing prometheus_wireguard_exporter

Example

server

apiVersion: vpn.example.com/v1alpha1
kind: Wireguard
metadata:
  name: "my-cool-vpn"
spec:
  mtu: "1380"

peer

apiVersion: vpn.example.com/v1alpha1
kind: WireguardPeer
metadata:
  name: peer1
spec:
  wireguardRef: "my-cool-vpn"

Peer configuration

Peer configuration can be retreived using the following command

command:

kubectl get wireguardpeer peer1 --template={{.status.config}} | bash

output:

[Interface]
PrivateKey = WOhR7uTMAqmZamc1umzfwm8o4ZxLdR5LjDcUYaW/PH8=
Address = 10.8.0.3
DNS = 10.48.0.10, default.svc.cluster.local
MTU = 1380

[Peer]
PublicKey = sO3ZWhnIT8owcdsfwiMRu2D8LzKmae2gUAxAmhx5GTg=
AllowedIPs = 0.0.0.0/0
Endpoint = 32.121.45.102:51820

installation:

kubectl apply -f https://raw.githubusercontent.com/jodevsa/wireguard-operator/0.0.3/release.yaml

uninstall

kubectl delete -f https://raw.githubusercontent.com/jodevsa/wireguard-operator/0.0.3/release.yaml