Configuring a VPN service

rancher / k3os

Purpose-built OS for Kubernetes, fully managed by Kubernetes.

https://k3os.io

Apache License 2.0

3.5k stars 403 forks source link

Configuring a VPN service #64

Open dwitzig opened 5 years ago

dwitzig commented 5 years ago

wondering how to connect k3OS nodes over a VPN (this might not be possible yet...) On RancherOS I deploy a vpn service in my cloud-config (see bellow)

is it possible to achieve something similar on k3OS?

  services:
    zerotier:
      image: dwitzig/zerotier:1.2.12
      labels:
        io.rancher.os.scope: system
      volumes:
        - /opt/zerotier-one:/var/lib/zerotier-one
      restart: always
      net: host
      devices:
        - /dev/net/tun:/dev/net/tun
      cap_add:
        - NET_ADMIN
        - SYS_ADMIN
      volumes_from:
        - system-volumes
      entrypoint: /zerotier-one
    zerotier-join:
      image: dwitzig/zerotier:1.2.12
      labels:
        io.rancher.os.scope: system
      volumes:
        - /opt/zerotier-one:/var/lib/zerotier-one
      restart: on-failure
      net: host
      entrypoint: /zerotier-cli join $NETWORK_ID
      depends_on:
        - zerotier

runningman84 commented 5 years ago

It would be cool if k3os would support wireguard von and use it for pod networking and other internal traffic.

vitobotta commented 5 years ago

Hi @dwitzig I hope you don't mind me asking here. I am using RancherOS and would like to encrypt traffic between the nodes of Kubernetes clusters since my provider doesn't have private networking. Do you have a blog post or tutorial on how you implemented the solution in your example / how it works so I can understand better also how to configure the network settings? Also are you happy with Zerotier for this so far? Thanks!

https://github.com/rancher/os/issues/2836

dwitzig commented 5 years ago

Hi @vitobotta, I put together a quick outline of how I deploy via ZT in this gist https://gist.github.com/dwitzig/1c3f0a3ed215a5852a4dc40cc608e876

I modified the boot scripts to use env vars and wait for network script to make it a bit simpler. Normally I use a Key/Value store so hopefully it works ( did not have a chance to test :) )

I really like ZeroTier. It's supper easy to deploy and its ability to auto failover and use the most efficient WAN connection is great. I use it on edge devices that have a 3G dongle for failover. ZeroTier handles this effortlessly.

The trickiest thing I found using a VPN to connect nodes is making sure the nodes and CNI are using the correct IP and interface. (I only just got this completely sorted when I moved to k3s)

hope that helps :)

vitobotta commented 5 years ago

Hi @dwitzig , in the meantime I sorted out with Wireguard and I am really happy with it. I created a Docker image to manage it via a container/service - see https://vitobotta.com/2019/07/17/kubernetes-wireguard-vpn-rancheros/ - I changed mind about using ZeroTier because I didn't wan't to have to trust someone with this stuff. Thanks btw

nazarewk commented 4 years ago

linking #422 (Wireguard on K3OS)