Commit Graph

5 Commits

Author SHA1 Message Date
Lucas Servén Marín
0d199db009
pkg/wireguard: ignore changes to peers behind NAT
This commit enables Kilo to ignore changes to the endpoints of peers
that sit behind a NAT gateway. We use the heuristic of a non-zero
persistent keepalive to decide whether the endpoint field should be
ignored. This will allow NATed peers to roam and for every node in the
cluster to have a different value for a peer's endpoint, as is natural
when a peer's connections are NATed.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-28 14:56:02 +01:00
Lucas Servén Marín
aa376ff0d1
pkg/mesh,pkg/wireguard: allow DNS name endpoints
This commit allows DNS names to be used when specifying the endpoint
for a node in the WireGuard mesh. This is useful in many scenarios, in
particular when operating an IoT device whose public IP is dynamic. This
change allows the administrator to use a dynamic DNS name in the node's
endpoint.

One of the side-effects of this change is that the WireGuard port can
now be specified individually for each node in the mesh, if the
administrator wishes to do so.

*Note*: this commit introduces a breaking change; the
`force-external-ip` node annotation has been removed; its functionality
has been ported over to the `force-endpoint` annotation. This annotation
is documented in the annotations.md file. The expected content of this
annotation is no longer a CIDR but rather a host:port. The host can be
either a DNS name or an IP.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-22 17:17:13 +01:00
Lucas Servén Marín
35390054ba
pkg: deduplicate peer IP addresses
We need to defensively deduplicate peer allowed IPs.
If two peers claim the same IP, the WireGuard configuration
could flap, causing the interface to churn.
2019-05-10 02:07:42 +02:00
Lucas Servén Marín
cd9c83b3bc
pkg/wireguard: simplify returns 2019-05-03 13:49:55 +02:00
Lucas Servén Marín
2425a06cd8
*: add peer VPN support
This commit adds support for defining arbitrary peers that should have
access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 12:53:44 +02:00