Using the integrated WireGuard as personal VPN

[nushkovg]

Feature Request

Since there is already an integrated WireGuard service in the OS itself, I think it would be great if it can be used as a personal VPN without the need to have an external proxy which will handle the iptables NAT rules.

Description

The integrated WireGuard can already be configured to act as a server on the control plane nodes, but since there is no iptables integrated in the OS, it's (I think) impossible to run it as a normal personal VPN which masks the public IP of the client. Here is an example of a machine config where a new interface is created and managed by Talos:

interfaces:
  - interface: wg0
      addresses:
        - 10.254.0.1/24
      mtu: 1500
      wireguard:
        privateKey: <SERVER_PRIVATE_KEY>
        listenPort: 51820
        peers:
          - publicKey: <CLIENT_PUBLIC_KEY>
            persistentKeepaliveInterval: 10s
            endpoint: <DYNAMIC_DNS_OR_STATIC_IP>:51820
            allowedIPs:
              - 10.254.0.2/32
  - interface: eth0
    .
    .
    ...

This is in the case of a client setting 0.0.0.0/0 as the Allowed IP in the client configuration:

[Interface]
Address = 10.254.0.2/32
PrivateKey = <CLIENT_PRIVATE_KEY>

[Peer]
Endpoint = <DYNAMIC_DNS_OR_STATIC_IP>:51820
AllowedIPs = 0.0.0.0/0
PublicKey = <SERVER_PUBLIC_KEY>

If a client connects with this configuration, he/she won't be able to access the internet. In a "generic" OS with iptables, this is solveable by adding these iptables rules in the interface section of the server configuration:

PreUp = iptables --table nat --append POSTROUTING --jump MASQUERADE --out-interface eth0
PreDown = iptables --table nat --delete POSTROUTING --jump MASQUERADE --out-interface eth0

If the client connects with the AllowedIPs changed from 0.0.0.0/0 to something else, like 192.168.0.0/24, he will have access to the internet, but the public IP will not be masked.

I am not sure of the complexity of implementation of this feature, as I certainly don't fully understand the internals of the Talos system, but this is very useful for people who want to use IP whitelisting as a form of security for their applications, and want to be able to access their apps over WireGuard VPN with the public IP masked as the one specified in the server configuration.

If this is something that can be implemented, it will be great as it will remove the need for an external proxy above the Talos nodes, and it will remove the need of running WireGuard inside Kubernetes itself.

I believe that this is a very specific, low priority thing, but still something to consider. However, if there isn't a way to implement this, please let me know if there is a "Talos" way of doing something like this, or simply a workaround.

[smira]

Thanks for the report. At the moment there's no way to configure firewall with Talos.

There's a "hacky" way - inject iptables rules via some privileged pod in Kubernetes - Job or Pod or DaemonSet.

We're looking towards adding full firewall support to Talos.

[maxpain]

Any updates on this? I need to set up a WireGuard tunnel from the master node to some VPN service like Cloudflare WARP or Mullvad and route all traffic to some CIDRs with NAT. I can do everything using only Talos configuration, but for NAT I have to spin up some privileged pod, which set up iptables.

[smira]

No update so far, see also #4421

[github-actions[bot]]

This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[github-actions[bot]]

This issue was closed because it has been stalled for 7 days with no activity.