Closed nushkovg closed 6 hours ago
Thanks for the report. At the moment there's no way to configure firewall with Talos.
There's a "hacky" way - inject iptables
rules via some privileged pod in Kubernetes - Job
or Pod
or DaemonSet
.
We're looking towards adding full firewall support to Talos.
Any updates on this?
I need to set up a WireGuard tunnel from the master node to some VPN service like Cloudflare WARP or Mullvad and route all traffic to some CIDRs with NAT.
I can do everything using only Talos configuration, but for NAT I have to spin up some privileged pod, which set up iptables
.
No update so far, see also #4421
This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days.
This issue was closed because it has been stalled for 7 days with no activity.
Feature Request
Since there is already an integrated WireGuard service in the OS itself, I think it would be great if it can be used as a personal VPN without the need to have an external proxy which will handle the
iptables
NAT rules.Description
The integrated WireGuard can already be configured to act as a server on the control plane nodes, but since there is no
iptables
integrated in the OS, it's (I think) impossible to run it as a normal personal VPN which masks the public IP of the client. Here is an example of a machine config where a new interface is created and managed by Talos:This is in the case of a client setting
0.0.0.0/0
as the Allowed IP in the client configuration:If a client connects with this configuration, he/she won't be able to access the internet. In a "generic" OS with
iptables
, this is solveable by adding theseiptables
rules in the interface section of the server configuration:If the client connects with the
AllowedIPs
changed from0.0.0.0/0
to something else, like192.168.0.0/24
, he will have access to the internet, but the public IP will not be masked.I am not sure of the complexity of implementation of this feature, as I certainly don't fully understand the internals of the Talos system, but this is very useful for people who want to use IP whitelisting as a form of security for their applications, and want to be able to access their apps over WireGuard VPN with the public IP masked as the one specified in the server configuration.
If this is something that can be implemented, it will be great as it will remove the need for an external proxy above the Talos nodes, and it will remove the need of running WireGuard inside Kubernetes itself.
I believe that this is a very specific, low priority thing, but still something to consider. However, if there isn't a way to implement this, please let me know if there is a "Talos" way of doing something like this, or simply a workaround.