WireGuard on K8s: road-warrior-style VPN server

I think we all understand the usefulness of a road-warrior-style VPN. But it doesn&#x27;t seem so clear what k8s is adding here?<p>Anyway, on the topic of scalable UDP services, does anyone have any experience of load balancing a UDP service? Because UDP is connectionless there&#x27;s no obvious way to make UDP packets &quot;sticky&quot;. Are there any established practices that could help scale this k8s Wireguard service to 2 or more containers?

Worth metnioning Kilo, which is an enhancement or a CNI (container network interface) provider that does Wireguard for Kubernetes.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;squat&#x2F;kilo" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;squat&#x2F;kilo</a>

GitHub has several projects that automate setting up a wireguard VPN on various cloud VMs without K8s: <a href="https:&#x2F;&#x2F;github.com&#x2F;topics&#x2F;wireguard" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;topics&#x2F;wireguard</a>. There&#x27;s also this tutorial that sets up a VPN along with proper DNS configuration so that DNS doesn&#x27;t leak: <a href="https:&#x2F;&#x2F;www.ckn.io&#x2F;blog&#x2F;2017&#x2F;11&#x2F;14&#x2F;wireguard-vpn-typical-setup&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.ckn.io&#x2F;blog&#x2F;2017&#x2F;11&#x2F;14&#x2F;wireguard-vpn-typical-set...</a>.

You can install the WireGuard tools only, without the kernel extensions etc, with:<p><pre><code> apt-get install -y --no-install-recommends wireguard-tools </code></pre> This is all you need with the server flavour of 20.04. For the minimal one, you need a couple more.<p>So no need to use a builder image

A few people seem to be confused why K8s is needed when you can just run this on the OS itself. I think they miss the point that this is not a guide to setup Wireguard using K8s but setup Wireguard if you only have&#x2F;want a K8s environment.<p>As the author notes: &quot;you can run a road-warrior-style Wireguard server in K8s without making changes to the node.&quot;<p>Which makes this guide ideal for me. I run a lightweight K8s flavor (K3s, <a href="https:&#x2F;&#x2F;k3s.io&#x2F;" rel="nofollow">https:&#x2F;&#x2F;k3s.io&#x2F;</a>) as &quot;configuration management&quot; on my home server and home automation Raspberry Pi&#x27;s because I don&#x27;t want to mess with OS&#x2F;userland configuration or the associated tools (Puppet, Ansible, hacked together scripts, etc) or want to maintain any OS state manually.<p>For my setup I just flash K3s to disk or SD card and let it join the cluster. Everything else is configured in Kubernetes and stored nicely as configuration files on my laptop so I have an overview of everthing and can modify&#x2F;rebuild whenever I want.

Worth taking look at <a href="http:&#x2F;&#x2F;tailscale.com" rel="nofollow">http:&#x2F;&#x2F;tailscale.com</a> - Their tag line: Private networks made easy. No affiliation -- just like their product.

this example uses k3s - which is the k8s distribution by the Rancher guys. Really cool distro - simple UX. Runs equally good on a raspberry pi or the cloud

I&#x27;m not sure to understand the use case. Is the goal to replace things like flannel? Or route all your traffic from a single gateway?

Is there any reason why OP installs iproute2 and iptables not in the builder together with the wireguard package but in the final container image?

While we are discussing this, I see NordVPN has also released support for Wireguard and named it NordLynx

Well, there&#x27;s road-warrior, and then there&#x27;s <i>road-warrior</i>.<p>I&#x27;ve been trying out Glorytun, it does multi-path VPN with a relatively similar wire format to WireGuard. Being mostly indoors, due to the microbial boogaloo, I&#x27;ve not been trying it with the most interesting applications.