Wireguard Edge Node #11961
-
|
I am going slightly crazy and wanted to double-check my plan is realistic before I go deeper... I have a hybrid cloud, or at least might have one. The goal is to connect edge nodes via Wireguard, and connect to all kubelet/discovery/talos api/etc connections over that wireguard interface. I am not using kubespan because of potential conflicts with Cilium. Is this the right way to go about it? I see in the logs that the wireguard interface is "reconfigured" but nothing beyond that. No wireguard packets are registered at the router (the other side of the link). Is there a way to increase wireguard log verbosity on the talos side? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 12 replies
-
|
KubeSpan might be easier, or Omni might be a better story for edge. But you can get wireguard details via |
Beta Was this translation helpful? Give feedback.
-
|
I bumped to 1.11.2, no luck Setting wg: interface: Not sure it says address removed from eth0??? Kubelet fails to DL, but looks like it is running after the route is set, apid keeps repeating waiting to start I don't see anything else in the logs... |
Beta Was this translation helpful? Give feedback.
-
|
I think at this point this discussion doesn't match the title. If you have issues on Hetzner, you might need to simplify things, boot latest Talos, and verify that it works. And only after that try Wireguard or any other things. |
Beta Was this translation helpful? Give feedback.
-
|
Agreed, thank you all for the responses. I will simplify my config and add back one piece at a time. If wireguard is indeed an issue I'll reopen, or create another more relevant discussion. Thanks again :) |
Beta Was this translation helpful? Give feedback.
-
|
It was indeed a wireguard issue. Namely that routes are not automatically created for networks defined in Allowed addresses as they are when using wg-quick. With no keepalive set and no routes the link remained dead and there was basically nothing to debug. With the routes added the node joins as intended, and with a node ip on the wireguard subnet I have a node joined without needing to open extra ports. |
Beta Was this translation helpful? Give feedback.
It was indeed a wireguard issue. Namely that routes are not automatically created for networks defined in Allowed addresses as they are when using wg-quick.
With no keepalive set and no routes the link remained dead and there was basically nothing to debug.
With the routes added the node joins as intended, and with a node ip on the wireguard subnet I have a node joined without needing to open extra ports.