Commit Graph

8 Commits

Author SHA1 Message Date
Lucas Servén Marín
0a10dc921c
pkg/k8s/apis: support for preshared keys in peers
This commit adds support for defining preshared keys when declaring a
new Peer CRD. This preshared key will be used whenever the nodes in the
Kilo mesh communicate with that peer.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-05-05 11:36:43 +02:00
Lucas Servén Marín
810dae695e
pkg/wireguard: edge case when endpoints are nil
Peers may have nil endpoints, a case which must be gracefully handled.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-06 15:21:30 +01:00
Lucas Servén Marín
29280a987e
pkg/mesh,pkg/wireguard: sync NAT endpoints
This commit changes how Kilo allows nodes and peers behind NAT to roam.
Rather that ignore changes to endpoints when comparing WireGuard
configurations, Kilo now incorporates changes to endpoints for peers
behind NAT into its configuration first and later compares the
configurations.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-04 01:37:08 +01:00
Lucas Servén Marín
0d199db009
pkg/wireguard: ignore changes to peers behind NAT
This commit enables Kilo to ignore changes to the endpoints of peers
that sit behind a NAT gateway. We use the heuristic of a non-zero
persistent keepalive to decide whether the endpoint field should be
ignored. This will allow NATed peers to roam and for every node in the
cluster to have a different value for a peer's endpoint, as is natural
when a peer's connections are NATed.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-28 14:56:02 +01:00
Lucas Servén Marín
aa376ff0d1
pkg/mesh,pkg/wireguard: allow DNS name endpoints
This commit allows DNS names to be used when specifying the endpoint
for a node in the WireGuard mesh. This is useful in many scenarios, in
particular when operating an IoT device whose public IP is dynamic. This
change allows the administrator to use a dynamic DNS name in the node's
endpoint.

One of the side-effects of this change is that the WireGuard port can
now be specified individually for each node in the mesh, if the
administrator wishes to do so.

*Note*: this commit introduces a breaking change; the
`force-external-ip` node annotation has been removed; its functionality
has been ported over to the `force-endpoint` annotation. This annotation
is documented in the annotations.md file. The expected content of this
annotation is no longer a CIDR but rather a host:port. The host can be
either a DNS name or an IP.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-22 17:17:13 +01:00
Lucas Servén Marín
35390054ba
pkg: deduplicate peer IP addresses
We need to defensively deduplicate peer allowed IPs.
If two peers claim the same IP, the WireGuard configuration
could flap, causing the interface to churn.
2019-05-10 02:07:42 +02:00
Lucas Servén Marín
cd9c83b3bc
pkg/wireguard: simplify returns 2019-05-03 13:49:55 +02:00
Lucas Servén Marín
2425a06cd8
*: add peer VPN support
This commit adds support for defining arbitrary peers that should have
access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 12:53:44 +02:00