snippetMinor
How to automate the key exchange in WireGuard when you deploy a cluster of machines?
Viewed 0 times
theyouexchangeautomatewireguarddeploymachineshowwhenkey
Problem
Let's assume you want to deploy a cluster of machines on Hetzer Cloud. For simplicity let's call them
To make it work, you can setup your own VPN using WireGuard. Conceptually, it is not hard. You need to setup three connections (between the
Setting up such a VPN cluster sounds like a common problem, but I cannot find any recommendations on how to setup
In SSH, workers could share their key, which would simplify the problem. In WireGuard, keys cannot be shared, as far as I understood. How would you automate the setup of a VPN with WireGuard, so each worker can reach the master? Or is WireGuard the wrong choice for the problem?
Clarification:
worker1, worker2, worker3. They need to communicate with a server called master, which will be running on different account then the workers. Ideally, the whole setup should not be open to the internet. Unfortunately, Hetzner supports only private networks within the same account.To make it work, you can setup your own VPN using WireGuard. Conceptually, it is not hard. You need to setup three connections (between the
master and each worker). The tricky part is how to automate the key exchange. Ideally, it should not be more work if you deploy additional workers (e.g. 100 instead 3 workers).Setting up such a VPN cluster sounds like a common problem, but I cannot find any recommendations on how to setup
1-to-n or n-to-m connections, only tutorials on how to peer two machines. I'm thinking of automating the key exchange with Ansible (generate keys, gather them, install them on the master), but wanted to check first whether there is an easier solution to the problem that I missed.In SSH, workers could share their key, which would simplify the problem. In WireGuard, keys cannot be shared, as far as I understood. How would you automate the setup of a VPN with WireGuard, so each worker can reach the master? Or is WireGuard the wrong choice for the problem?
Clarification:
- In my scenario, it is not possible to move the workers and master to the same account; otherwise, Hetzner networks would be the straightforward solution for setting up a private network.
- If you are not familiar with Hetzner Cloud, it is not a problem. You can assume that you get normal Linux machines, but then you are on your own (it does not support VPC peering across accounts as AWS does). Yet you can use all Linux tools available for creating the VPN setup. WireGuard would be my first choice, but I'm open to other techniques.
Solution
The
githubixx wireguard ansible role might be what you are looking for. The author of the role says:
I use WireGuard to setup a fully meshed VPN (every host can directly connect to
every other host) and run my Kubernetes (K8s) cluster at Hetzner Cloud (but you
should be able to use any hoster you want). So the important components like the
K8s controller and worker nodes (which includes the pods) only communicate via
encrypted WireGuard VPN. Also (as already mentioned) I've two clients. Both have
kubectl installed and are able to talk to the internal Kubernetes API server by
using WireGuard VPN.
I reviewed the tasks and the template, but I haven't tried it out yet myself. It supports different versions of linux. It installs wireguard. It handles key generation, distribution, and wireguard configuration for a full mesh VPN. For each host it configures an interface with the host's private key as well as peer configuration for all the other hosts using their own public keys. You can set variables in the ansible inventory for each host (e.g. addresses) to tailor the configurations to your network.
githubixx wireguard ansible role might be what you are looking for. The author of the role says:
I use WireGuard to setup a fully meshed VPN (every host can directly connect to
every other host) and run my Kubernetes (K8s) cluster at Hetzner Cloud (but you
should be able to use any hoster you want). So the important components like the
K8s controller and worker nodes (which includes the pods) only communicate via
encrypted WireGuard VPN. Also (as already mentioned) I've two clients. Both have
kubectl installed and are able to talk to the internal Kubernetes API server by
using WireGuard VPN.
I reviewed the tasks and the template, but I haven't tried it out yet myself. It supports different versions of linux. It installs wireguard. It handles key generation, distribution, and wireguard configuration for a full mesh VPN. For each host it configures an interface with the host's private key as well as peer configuration for all the other hosts using their own public keys. You can set variables in the ansible inventory for each host (e.g. addresses) to tailor the configurations to your network.
Context
StackExchange DevOps Q#12071, answer score: 1
Revisions (0)
No revisions yet.