mirror of
https://github.com/siderolabs/talos.git
synced 2025-10-01 18:51:13 +02:00
e3fda049fe
This moves our docs to a hugo-based doc setup with docsy theme. Signed-off-by: Spencer Smith <spencer.smith@talos-systems.com>
103 lines
3.0 KiB
Markdown
103 lines
3.0 KiB
Markdown
---
|
|
title: "Configuring Wireguard Network"
|
|
description: "In this guide you will learn how to set up Wireguard network using Kernel module."
|
|
---
|
|
|
|
## Configuring Wireguard Network
|
|
|
|
### Quick Start
|
|
|
|
The quickest way to try out Wireguard is to use `talosctl cluster create` command:
|
|
|
|
```bash
|
|
talosctl cluster create --wireguard-cidr 10.1.0.0/24
|
|
```
|
|
|
|
It will automatically generate Wireguard network configuration for each node with the following network topology:
|
|
|
|
<img src="/images/wireguard-guide/example-topology.png">
|
|
|
|
Where all controlplane nodes will be used as Wireguard servers which listen on port 51111.
|
|
All controlplanes and workers will connect to all controlplanes.
|
|
It also sets `PersistentKeepalive` to 5 seconds to establish controlplanes to workers connection.
|
|
|
|
After the cluster is deployed it should be possible to verify Wireguard network connectivity.
|
|
It is possible to deploy a container with `hostNetwork` enabled, then do `kubectl exec <container> /bin/bash` and either do:
|
|
|
|
```bash
|
|
ping 10.1.0.2
|
|
```
|
|
|
|
Or install `wireguard-tools` package and run:
|
|
|
|
```bash
|
|
wg show
|
|
```
|
|
|
|
Wireguard show should output something like this:
|
|
|
|
```bash
|
|
interface: wg0
|
|
public key: OMhgEvNIaEN7zeCLijRh4c+0Hwh3erjknzdyvVlrkGM=
|
|
private key: (hidden)
|
|
listening port: 47946
|
|
|
|
peer: 1EsxUygZo8/URWs18tqB5FW2cLVlaTA+lUisKIf8nh4=
|
|
endpoint: 10.5.0.2:51111
|
|
allowed ips: 10.1.0.0/24
|
|
latest handshake: 1 minute, 55 seconds ago
|
|
transfer: 3.17 KiB received, 3.55 KiB sent
|
|
persistent keepalive: every 5 seconds
|
|
```
|
|
|
|
It is also possible to use generated configuration as a reference by pulling generated config files using:
|
|
|
|
```bash
|
|
talosctl read -n 10.5.0.2 /system/state/config.yaml > controlplane.yaml
|
|
talosctl read -n 10.5.0.3 /system/state/config.yaml > worker.yaml
|
|
```
|
|
|
|
### Manual Configuration
|
|
|
|
All Wireguard configuration can be done by changing Talos machine config files.
|
|
As an example we will use this official Wireguard [quick start tutorial](https://www.wireguard.com/quickstart/).
|
|
|
|
### Key Generation
|
|
|
|
This part is exactly the same:
|
|
|
|
```bash
|
|
wg genkey | tee privatekey | wg pubkey > publickey
|
|
```
|
|
|
|
### Setting up Device
|
|
|
|
Inline comments show relations between configs and `wg` quickstart tutorial commands:
|
|
|
|
```yaml
|
|
...
|
|
network:
|
|
interfaces:
|
|
...
|
|
# ip link add dev wg0 type wireguard
|
|
- interface: wg0
|
|
mtu: 1500
|
|
# ip address add dev wg0 192.168.2.1/24
|
|
addresses:
|
|
- 192.168.2.1/24
|
|
# wg set wg0 listen-port 51820 private-key /path/to/private-key peer ABCDEF... allowed-ips 192.168.88.0/24 endpoint 209.202.254.14:8172
|
|
wireguard:
|
|
privateKey: <privatekey file contents>
|
|
listenPort: 51820
|
|
peers:
|
|
allowedIPs:
|
|
- 192.168.88.0/24
|
|
endpoint: 209.202.254.14.8172
|
|
publicKey: ABCDEF...
|
|
...
|
|
```
|
|
|
|
When `networkd` gets this configuration it will create the device, configure it and will bring it up (equivalent to `ip link set up dev wg0`).
|
|
|
|
All supported config parameters are described in the [Machine Config Reference](../../reference/configuration/#devicewireguardconfig).
|