wireguard

package

v0.4.0-rc3 Latest Latest Go to latest Published: Jun 18, 2020 License: Apache-2.0 Imports: 16 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/submariner-io/submariner

README ¶

WireGuard Cable Driver

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.

Traffic is encrypted and encapsulated in UDP packets.

Driver design

WireGuard creates a virtual network device that is accessed via netlink. It appears like any network device and currently has a hardcoded name subwg0.
WireGuard identifies peers by their cryptographic public key without the need to exchange shared secrets. The owner of the public key must have the corresponding private key to prove identity.
The driver creates the key pair and adds the public key to the local endpoint so other clusters can connect. Like ipsec, the node IP address is used as the endpoint udp address of the WireGuard tunnels. A fixed port is used for all endpoints.
The driver adds routing rules to redirect cross cluster communication through the virtual network device subwg0. (note: this is different from ipsec, which intercepts packets at netfilter level.)
The driver uses wgctrl, a go package that enables control of WireGuard devices on multiple platforms. Link creation and removal are done through netlink. Currently assuming Linux Kernel WireGuard (wgtypes.LinuxKernel).

Installation

WireGuard needs to be installed on the gateway nodes. For example, (Ubuntu < 19.04),

$ sudo add-apt-repository ppa:wireguard/wireguard
$ sudo apt-get update
$ sudo apt-get install linux-headers-`uname -r` -y
$ sudo apt-get install wireguard

The driver needs to be enabled with

$ bin/subctl join --cable-driver wireguard --disable-nat broker-info.subm

The default UDP listen port for WireGuard is 5871. It can be changed by setting the env var CE_IPSEC_NATTPORT

Troubleshooting, limitations

If you get the following message

Fatal error occurred creating engine: failed to add wireguard device: operation not supported

you probably did not install WireGuard on the Gateway node.

The e2e tests can be run with WireGuard by setting DEPLOY_ARGS before calling make e2e

$ export DEPLOY_ARGS="--deploytool operator --deploytool_submariner_args '--cable-driver=wireguard'"

No new iptables rules were added, although source NAT needs to be disabled for cross cluster communication. This is similar to disabling SNAT when sending cross-cluster traffic between nodes to submariner-gateway, so the existing rules should be enough. The driver will fail if the CNI does SNAT before routing to Wireguard (e.g., failed with Calico, works with Flannel).

Documentation ¶

Index ¶

Constants
func NewDriver(localEndpoint types.SubmarinerEndpoint, localCluster types.SubmarinerCluster) (cable.Driver, error)

Constants ¶

View Source

const (
	// DefaultDeviceName specifies name of WireGuard network device
	DefaultDeviceName = "subwg0"

	// PublicKey is name (key) of publicKey entry in back-end map
	PublicKey = "publicKey"

	// KeepAliveInterval to use for wg peers
	KeepAliveInterval = 10 * time.Second
)

Variables ¶

This section is empty.

Functions ¶

func NewDriver ¶

func NewDriver(localEndpoint types.SubmarinerEndpoint, localCluster types.SubmarinerCluster) (cable.Driver, error)

NewDriver creates a new WireGuard driver

Types ¶

This section is empty.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL