openwisp / docker-openwisp

OpenWISP in docker. For production usage we recommend using the ansible-openwisp2 role.
https://openwisp.io/docs/dev/docker/
BSD 3-Clause "New" or "Revised" License
149 stars 75 forks source link

[features] Add support for WireGuard #225

Open pandafy opened 2 years ago

pandafy commented 2 years ago

Add an image/container for deploying WireGuard and install the flask app required for updating the configuration just like we did it in https://github.com/openwisp/ansible-wireguard-openwisp

We can use the linuxserver/wireguard as the base docker image for the WireGuard container.

We need to provide the same level of configurability as the ansible-wireguard-openwisp. Following environment variables should be added

Provisioning of SSL certificate for the Flask application should be done in a similar way it is done for the dashboard and api containers. The container should create a self-signed certificate for development and pull certificates from Let's Encrypt for the production environment. It should be also possible for users to specify the SSL certificates.

We shall re-use the Flask app and WireGuard updater scripts from the ansible role. We shall configure the WSGI such that it is accessible from both the internal hostname and FQDN.

Managing multiple WireGuard interfaces

In this iteration, we can defer the management of multiple WireGuard interfaces. If a user needs more than one WireGuard interface on the server, they'll have to spin up a new container.

Automatically creating WireGuard VPN server object

In this iteration, we will not enable WireGuard by default. If a user wants to use WireGuard they will have to first create a VPN server object and then spin up a container with the right environment values.

Explain the steps in the documentation for spinning up multiple WireGuard container. Explicitly mention that user will need to set environment variables for individual container because some variables will create conflicts.

pandafy commented 2 years ago

EDIT: Moved details to the issue description.

pandafy commented 2 years ago

There will be one separate container for the Flask app (wireguard-updater). Each WireGuard tunnel will have its separate container (wireguard-<uuid>-<ifname>). The WireGuard container will mount an NFS volume at /opt/wireguard-openwisp/.openwisp. This directory will be used to download and store configuration and its checksum from OpenWISP. The same NFS volume will be mounted on the wireguard-updated container at /opt/wireguard/config/<vpn-uuid>.

The request to the wireguard-updater container will contain the ID of the VPN which has to be updated. The Flask app will download the configuration of this VPN in the correct directory, i.e. /opt/wireguard-openwisp/config/<vpn-id>.

There will be a program (bash script) on each of the WireGuard containers which will look for changes in the /opt/wireguard-openwisp/.openwisp. Whenever it finds any changes, it should reload the WireGuard configuration.

Dealing with replicas for high availability

Since replicas will share the same NFS volume, they will observe file change at the same time and will reload their configuration in small time interval. Thus, making the configuration consistent on both the containers.

pandafy commented 2 years ago

Instead of NFS, we will use Redis to co-ordinate configuration changes

The request to the Flask app will contain VPN_ID which needs to be updated. The Flask app will write the current timestamp in the Redis server with VPN_ID as key.

There will be a process running on the WireGuard containers that will poll the Redis server continuously. This process will reload the configuration if the timestamp is different from the local one.

pandafy commented 2 years ago

We are deferring support for VXLAN over WireGuard for later. https://github.com/openwisp/docker-openwisp/issues/228

pandafy commented 2 years ago

We are deferring automated tests for the WireGuard container for later (https://github.com/openwisp/docker-openwisp/issues/229). In the current implementation, the WireGuard VPN is not created by default in OpenWISP. This creates a challenge for adding an automated test.