search

bryopsida / wireguard-chart

A helm chart for wireguard
40 stars 26 forks source link

WireGuard client unable to resolve DNS, e.g., redis.redis.svc.cluster.local #63

Open blgdmbrl opened 3 days ago

blgdmbrl commented 3 days ago

Hi, WireGuard client unable to resolve DNS, e.g., redis.redis.svc.cluster.local

My server yaml is

replicaCount: 1
autoscaling:
  enabled: false

service:
  enabled: true
  type: ClusterIP
wireguard:
  serverAddress: 172.32.32.1/24
  serverCidr: 172.32.32.0/24
  clients:
  - AllowedIPs: 172.32.32.2/32
    PublicKey: iaWRm9zdDyM95FXgoUpGNI2seN7vXyoQVG78ODGGJHY=

I checked the wg pod and run wg show wg0 and it's working fine

$ sudo wg show wg0
interface: wg0
  public key: EsPzisDRhRc5cpVHg5TSjfnWWkA6m82nhKczIxcZtU8=
  private key: (hidden)
  listening port: 51820

peer: iaWRm9zdDyM95FXgoUpGNI2seN7vXyoQVG78ODGGJHY=
  endpoint: 10.0.1.107:57281
  allowed ips: 172.32.32.2/32
  latest handshake: 10 seconds ago
  transfer: 173.18 KiB received, 248.56 KiB sent

from the pod I tried to nslookup, and it works fine.

~ $ nslookup redis.redis.svc.cluster.local
Server:     10.43.0.10
Address:    10.43.0.10:53

Name:   redis.redis.svc.cluster.local
Address: 10.43.113.234

and my client config is

[Interface]
PrivateKey = <privateKey>
Address = 172.32.32.2/32
DNS = 10.43.0.10, 8.8.8.8

[Peer]
PublicKey = EsPzisDRhRc5cpVHg5TSjfnWWkA6m82nhKczIxcZtU8=
AllowedIPs = 10.0.0.0/16, 10.43.0.0/16, 172.32.32.0/24
Endpoint = <public_id>:51820
PersistentKeepalive = 25

the ping works fine to 

ping 172.32.32.1
PING 172.32.32.1 (172.32.32.1): 56 data bytes
64 bytes from 172.32.32.1: icmp_seq=0 ttl=64 time=9.281 ms
64 bytes from 172.32.32.1: icmp_seq=1 ttl=64 time=9.031 ms
64 bytes from 172.32.32.1: icmp_seq=2 ttl=64 time=13.573 ms

but it couldn't reach the nslookup redis.redis.svc.cluster.local, and I tried to traceroute to 10.43.113.234

traceroute 10.43.113.234
traceroute to 10.43.113.234 (10.43.113.234), 64 hops max, 52 byte packets
 1  172.32.32.1 (172.32.32.1)  6.532 ms  8.060 ms  7.810 ms
 2  * * * *

and I can't fix this, help my guys. I wanna connect to 10.43.* from my client (DNS is optional). I'm using k3s + cilium

bryopsida commented 1 day ago

I see that you have the helm configuration set to define the wireguard service as a cluster ip service

service:
  enabled: true
  type: ClusterIP

What kind of load balancer or network path are you using to access the wg service from your client?

What pod cidr are you using for cilium? I believe by default it uses 10.0.0.0/8 and each node will be allocated a /24 within the /8 by cilium.

Do you have Hubble deployed with cilium and can you access the Hubble ui over a port forward? Does it show any flows/verdicts for your wg client's traffic?

blgdmbrl commented 13 hours ago

I'm using nginx-ingress for the load balancer, and there's the configuration

udp:
  "51820": wireguard/wireguard-wireguard:51820

and for Cilium I'm not using Hubble

cluster-pool-ipv4-cidr: 10.0.0.0/8