bryopsida
commented
1 month ago The stateless nature of UDP does not always lend itself to desirable behavior at the LB level, each cloud provider's LB implementation for UDP can vary and it may not consistently route a client's traffic to the same WG server pod.
The WG documentation suggests usage of either these
to support TCP tunnels, (but there may be better options)
While this would be relatively trivial to add to the server side, it would require additional binary installs on client side and documentation on how to set up the tunnel with pre and post hooks.
May relate to: #60
It would be nice to have an optional flag that enabled support for a TCP ingress. This could be relayed over something like a cloud flare tunnel (which does not support UDP) to prevent needing to open a whole in a firewall at the perimeter of where the wireguard pod is running.
This may require running the tunnel at the peer site as well as the WG client does not support TCP directly IIRC.