wireguard

package

v0.3.0-rc2 Latest Latest Go to latest Published: Apr 29, 2020 License: Apache-2.0 Imports: 12 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/submariner-io/submariner

README ¶

WireGuard Cable Driver (WIP)

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.

Traffic is encrypted and encapsulated in UDP packets.

Driver design

WireGuard creates a virtual network device that is accessed via netlink. It appears like any network device and currently has a hardcoded name subwg0.
WireGuard identifies peers by their cryptographic public key without the need to exchange shared secrets. The owner of the public key must have the corresponding private key to prove identity.
The driver creates the key pair and adds the public key to the local endpoint so other clusters can connect. Like ipsec, the node IP address is used as the endpoint udp address of the WireGuard tunnels. A fixed port is used for all endpoints.
The driver adds routing rules to redirect cross cluster communication through the virtual network device subwg0. (note: this is different from ipsec, which intercepts packets at netfilter level.)
The driver uses wgctrl, a go package that enables control of WireGuard devices on multiple platforms. Link creation and removal are done through netlink. Currently assuming Linux Kernel WireGuard (wgtypes.LinuxKernel).

Installation

WireGuard needs to be installed on the gateway nodes. For example, (Ubuntu < 19.04),

$ sudo add-apt-repository ppa:wireguard/wireguard
$ sudo apt-get update
$ sudo apt-get install wireguard

The driver needs to be enabled with

$ bin/subctl join --cable-driver wireguard --disable-nat broker-info.subm

Troubleshooting, limitations

If you get the following message

Fatal error occurred creating engine: failed to add wireguard device: operation not supported

you probably did not install WireGuard on the Gateway node.

Support for e2e testing with kind is not implemented yet. The e2e tests can be run with WireGuard by setting it as the default driver in pkg/cable/wireguard/WGdriver.go and unsetting StrongSwan in pkg/cable/ipsec/strongswan.go
```
func init() {
  // uncomment next line to set as default
  //cable.SetDefautCableDriver(cableDriverName)
  cable.AddDriver(cableDriverName, NewWGDriver)
}
```
No new iptables rules were added, although source NAT needs to be disabled for cross cluster communication. This is similar to disabling SNAT when sending cross-cluster traffic between nodes to submariner-gateway, so the existing rules should be enough. The driver will fail if the CNI does SNAT before routing to Wireguard (e.g., failed with Calico, works with Flannel).

Documentation ¶

Index ¶

Constants
func NewDriver(localSubnets []string, localEndpoint types.SubmarinerEndpoint) (cable.Driver, error)

Constants ¶

View Source

const (
	// DefaultListenPort specifies UDP port address of WireGuard
	DefaultListenPort = 5871

	// DefaultDeviceName specifies name of WireGuard network device
	DefaultDeviceName = "subwg0"

	// PublicKey is name (key) of publicKey entry in back-end map
	PublicKey = "publicKey"
)

Variables ¶

This section is empty.

Functions ¶

func NewDriver ¶

func NewDriver(localSubnets []string, localEndpoint types.SubmarinerEndpoint) (cable.Driver, error)

NewDriver creates a new WireGuard driver

Types ¶

This section is empty.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL