WireGuard VPN deployed on Kubernetes cluster

What is WireGuard VPN ?

WireGuard is a modern VPN (Virtual Private Network) protocol and implementation designed to be simpler, faster, and more secure than traditional VPN protocols. It aims to provide a robust solution for encrypting and securing network traffic with minimal overhead and complexity.

Key Features of WireGuard
Simplicity:

WireGuard is designed to be lightweight with a small codebase, making it easier to audit and maintain. The entire codebase is around 4,000 lines of code, compared to tens of thousands of lines in other VPN protocols.
Performance:

WireGuard is highly efficient, offering high-speed performance due to its streamlined code and use of modern cryptographic techniques. It often provides lower latency and higher throughput than traditional VPN solutions.
Security:

WireGuard uses state-of-the-art cryptography, including the Noise Protocol Framework, ChaCha20 for encryption, Poly1305 for message authentication, Curve25519 for key exchange, and BLAKE2s for hashing. This ensures strong security and privacy for users.
Ease of Use:

Configuration is straightforward, with simple key management and minimal configuration options. This reduces the likelihood of user error and simplifies deployment and management.
Cross-Platform Support:

WireGuard is available on various operating systems, including Linux, Windows, macOS, iOS, and Android. This makes it versatile and suitable for a wide range of devices and environments.
Seamless Roaming:

WireGuard supports seamless roaming, allowing a device to move between networks without dropping the VPN connection. This is particularly useful for mobile devices.

So you have installed a home lab kubernetes and now you need a secure method to get to your apps, this is where WireGuard steps in to the rescue.
This is a ‘quick and dirty’ solution cuz in a perfect world, a few things should be done differently like passing the environment variables with a config map, here i just shove them into the container section of the deployment, is good enough for a partisan like me who only wants to connect to his home lab from remote, and for that purpose WireGuard is ideal.
This is a tutorial for those who want to deploy WireGuard VPN server on a kubernetes cluster, and be able to access kubernetes services from out of the home lab network.

NodePort service will be used to expose WireGuard VPN to clients.
HostPath volume will be used as a persistent volume for app data.

REF: docker image –> https://docs.linuxserver.io/images/docker-wireguard

Prerequisites:

  • A Kubernetes cluster
  • DNS name
  • Basic kubernetes understanding

Create a ‘deployment.yaml’ file, there we will add all our resources:
   NOTE: it is better to pass the environment variables variables with a ConfigMap.
         1. Namespace
         2. Deployment
         3. StorageClass
         4. PersistentVolume
         5. PersistenVolumeClaim
         6. Service

Only 3 values have to be changed for this to work:
   NOTE: here you can read more about environment variables.

         1. Line 36: add your DNS.
         2. Line 65: add your hostpath.
         3. Line 93: add your hostpath.
         4. Line 117: select a port between 30000 and 32767

apiVersion: v1
kind: Namespace
metadata:
  name: wireguard-ns
  labels:
    name: wireguard
---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: wireguard-ns
  name: wireguard-deployment
  labels:
    app: wireguard
spec:
  replicas: 1
  selector:
    matchLabels:
      app: wireguard
  template:
    metadata:
      labels:
        app: wireguard
    spec:
      containers:
      - name: wireguard
        image: lscr.io/linuxserver/wireguard:latest
        env:
        - name: PUID
          value: "1000"
        - name: GUID
          value: "1000"
        - name: TZ
          value: "Asia/Jerusalem"
        - name: SERVERURL
          value: "some-dns.duckdns.org"
        - name: SERVERPORT
          value: "51820"
        - name: PEERS
          value: "1"
        - name: PEERDNS
          value: "auto"
        - name: INTERNAL_SUBNET
          value: "10.13.13.0"
        - name: ALLOWEDIPS
          value: "0.0.0.0/0"
        securityContext:
          capabilities:
            add: ["NET_ADMIN", "SYS_MODULE"]
        ports:
          - name: udp-port
            containerPort: 51820
            protocol: UDP
        volumeMounts:
            - name: wireguard-config
              mountPath: /config      
            - name: lib-modules
              mountPath: /lib/modules
      volumes:
        - name: wireguard-config2
          persistentVolumeClaim:
              claimName: wireguard-pv-claim
        - name: wireguard-config
          hostPath:
            path: /home/rke/stmp/rke-persistent-volumes/wireguard-pv_2
        - name: lib-modules
          hostPath:
            path: /lib/modules
---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: local-storage-for-wireguard
provisioner: kubernetes.io/no-provisioner
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: wireguard-pv-volume
  labels:
    type: local
spec:
  storageClassName: local-storage-for-wireguard
  claimRef:
    name: wireguard-pv-claim
    namespace: wireguard-ns
  capacity:
    storage: 2Gi
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: "/home/rke/stmp/rke-persistent-volumes/wireguard-pv_2"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: wireguard-pv-claim
  namespace: wireguard-ns
spec:
  storageClassName: local-storage-for-wireguard
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 2Gi
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: wireguard
  name: wireguard
  namespace: wireguard-ns
spec:
  ports:
  - nodePort: 32003
    port: 51820
    protocol: UDP
    targetPort: 51820
  selector:
    app: wireguard
  type: NodePort


Run the deployment

k apply -f deployment.yaml

Check the container logs, you should see something like this:

Next you should install a WireGuard Client and scan the barcode.
you can find clients for download here.

There is no good indication if you are really connected or not, so after connecting with the WireGuard Client check the server to see if there is a handshake:

And thats about it…. that will be enough for you to be able to get to your lab kubernetes services.