Wireguard Bastion
Deployment of Wireguard Bastion host
Wireguard is the recommended VPN to get private channel access to your OpenG2P clusters and resources. Wireguard is a fast secure & open-source VPN, with P2P traffic encryption.
The document talks about setting up a Wireguard bastion host (Wireguard server) to enable a private channel to the Kubernetes cluster.
Prerequisites
One virtual machine (VM) running on the same network as the rest of the nodes, and has access to them. For recommended configuration of the VM refer to Hardware Requirements.
Docker installed on the VM
Installation
Clone the openg2p-deployment repo and navigate to the kubernetes/wireguard directory
Run this with root privileges:
For example:
Make sure to edit the firewall rules of this VM to enable incoming traffic on the above UDP port (Default 51820) and disable incoming traffic on all other ports (excluding SSH)
Multiple Wireguard servers
Multiple Wireguard bastions are required to separate groups of users accessing applications on the cluster. For example, a sandbox runs inside a namespace, and you may wish to grant access to applications only within a namespace. This can be achieved by running an instance of a Wireguard server that routes traffic to one or more load balancers. See deployment architecture. The "access group" is a set of users who are given keys to access cluster apps via a particular Wireguard server.
You may install multiple Wireguard servers on the same VM, by repeating the above procedure with a different Wireguard server name, client IPs subnet mask, subnet mask of load balancer and port.
Access to users
Refer to this Wireguard Access to Users
Wireguard client
To access systems behind Wireguard bastion, you need to install Wireguard client on your machine. Install the client as follows:
Last updated