WireGuard on Antrea implementation #2243

xliuxu · 2021-06-07T06:33:45Z

Describe what you are trying to solve
This proposal summarizes the first version of WireGuard on Antrea. Refer to #2204 for the proposal.

In the first version, we want to implement WireGuard on default encap mode as existing features such as EgressPolicy will not be affected.

Describe how your solution impacts user flows
Users can enable WireGuard in configmap by setting enableWireGuard: true to enable WireGuard encryption.

Describe the main design/architecture of your solution

Control Plane

antrea-init

antrea-init should be able to load WireGuard kernel module and save the status.

antrea-agent

Node controller should check whether WireGuard is enabled in configmap. If yes the following steps should take place.

setup up WireGuard interface, including setting up MTU, private key, listening port, setting rp_filter to 2
expose the public key by annotation.
list and watch all kubernetes Node resource, read set PublicKey, AllowedIPs, Endpoint as WireGuard peer.

Data plane

On the Node, antrea-agent will realize whether WireGuard is enabled and mark packets accordingly.

// If wireguard is enabled
// table=70
- priority=200,ip,nw_dst=remote_cidr, actions=mod_dl_src:gw0_mac,mod_dl_dst:vMAC,load:remote_node_ip->NXM_NX_TUN_IPV4_DST[],resubmit(,72)
+ priority=200,ip,nw_dst=remote_cidr, actions=mod_dl_src:local_gw_mac,mod_dl_dst:vMAC,load:remote_node_ip->NXM_NX_TUN_IPV4_DST[],load:tunnel_pkt_mark->NXM_NX_PKT_MARK[],resubmit(,72)

// If EgressPolicy rules are present
// table 72
- priority=200 ip,in_port=local_pods mod_dl_src:gw0_mac,mod_dl_dst:vMAC,snat_ip->NXM_NX_TUN_IPV4_DST,goto:72
+ priority=200 ip,in_port=local_pods mod_dl_src:gw0_mac,mod_dl_dst:vMAC,snat_ip->NXM_NX_TUN_IPV4_DST,set_field:1234->pkt_mark,goto:72

Routing change:
Add a new routing table to handle packets with the specific pkt_mark. The default route should be the WireGuard tunnel.
e.g.

// ip rule 
0:	from all lookup local
1000:	from all fwmark 0x4d2 lookup 10
32766:	from all lookup main
32767:	from all lookup default
// route in table 10
default dev antrea-wg scope link src 172.16.10.12

Work breakdown

antrea-init load kernel module
antrea-agent setting up WireGuard interface and watch/reconcile changes
openflow entries change
routing rule/table change

Alternative solutions that you considered
N/A

Test plan
Add E2E tests to verify all features when WireGuard is enabled. We can use user-space implementation of WireGuard to run tests in kind clusters.

Additional context
Any other relevant information.

The text was updated successfully, but these errors were encountered:

of antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

This PR implements antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

This PR implements antrea-io#2243. Change tunnel traffic encryption option to enum type. The options contains none (default), ipsec and wireguard. Signed-off-by: Xu Liu <[email protected]>

This PR implements #2243. Change tunnel traffic encryption option to enum type. The options contains none (default), ipsec and wireguard. Signed-off-by: Xu Liu <[email protected]>

tnqn · 2021-08-27T08:22:55Z

@xliuxu Thanks for your work. Please use github keyword "Closes #XXXX" in your future PRs so they can close issues automatically on merge.

#2297 implemented this, closing this issue.

xliuxu · 2021-08-27T08:24:20Z

Thank you @tnqn!

xliuxu added the kind/design Categorizes issue or PR as related to design. label Jun 7, 2021

xliuxu added a commit to xliuxu/antrea that referenced this issue Jun 23, 2021

Add WireGuard client for tunnel traffic encryption. This PR is a part

6fad13a

of antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu mentioned this issue Jun 23, 2021

Add WireGuard support for tunnel traffic encryption #2297

Merged

xliuxu added a commit to xliuxu/antrea that referenced this issue Jun 23, 2021

Add WireGuard client for tunnel traffic encryption. This PR is a part

b86d760

of antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jun 23, 2021

Add WireGuard client for tunnel traffic encryption. This PR is a part

2872056

of antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jun 23, 2021

Add WireGuard client for tunnel traffic encryption. This PR is a part

b823ec3

of antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jun 23, 2021

Add WireGuard client for tunnel traffic encryption. This PR is a part

bd9fa04

of antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jun 23, 2021

Add WireGuard client for tunnel traffic encryption. This PR is a part

cd127f5

of antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jun 24, 2021

Add WireGuard client for tunnel traffic encryption. This PR is a part

e281dce

of antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jun 25, 2021

Add WireGuard client for tunnel traffic encryption. This PR is a part

d912083

of antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jun 25, 2021

Add WireGuard client for tunnel traffic encryption. This PR is a part

0044a2f

of antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jun 25, 2021

Add WireGuard client for tunnel traffic encryption. This PR is a part

0d2eade

of antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jun 25, 2021

Add WireGuard client for tunnel traffic encryption. This PR is a part

80df4f5

of antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jun 25, 2021

Add WireGuard client for tunnel traffic encryption. This PR is a part

2a6e9cf

of antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jun 28, 2021

Add WireGuard client for tunnel traffic encryption. This PR is a part

2564d69

of antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jun 29, 2021

Add WireGuard client for tunnel traffic encryption.

a14ad1d

This PR implements antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jun 30, 2021

Add WireGuard client for tunnel traffic encryption.

5a751f2

This PR implements antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jun 30, 2021

Add WireGuard client for tunnel traffic encryption.

aac4e7a

This PR implements antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jun 30, 2021

Add WireGuard client for tunnel traffic encryption.

5166d25

This PR implements antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jun 30, 2021

Add WireGuard client for tunnel traffic encryption.

8ef795f

This PR implements antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jul 2, 2021

Add WireGuard client for tunnel traffic encryption.

ff855dd

This PR implements antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jul 2, 2021

Add WireGuard client for tunnel traffic encryption.

b0fb85c

This PR implements antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jul 2, 2021

Add WireGuard client for tunnel traffic encryption.

15842d6

This PR implements antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jul 7, 2021

Add WireGuard client for tunnel traffic encryption.

6ca5c58

This PR implements antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jul 7, 2021

Add WireGuard client for tunnel traffic encryption.

012f627

This PR implements antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jul 7, 2021

Add WireGuard client for tunnel traffic encryption.

91c1083

This PR implements antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jul 7, 2021

Add WireGuard client for tunnel traffic encryption.

b6a7c03

This PR implements antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jul 8, 2021

Add WireGuard client for tunnel traffic encryption.

2966a3f

This PR implements antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jul 12, 2021

Add WireGuard client for tunnel traffic encryption.

fc70a24

This PR implements antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

xliuxu added a commit to xliuxu/antrea that referenced this issue Jul 22, 2021

Add WireGuard client for tunnel traffic encryption.

72ae9d8

This PR implements antrea-io#2243. Currently WireGuard only support with antrea encap mode. Signed-off-by: Xu Liu <[email protected]>

tnqn closed this as completed Aug 27, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

WireGuard on Antrea implementation #2243

WireGuard on Antrea implementation #2243

xliuxu commented Jun 7, 2021 •

edited

Loading

tnqn commented Aug 27, 2021

xliuxu commented Aug 27, 2021

WireGuard on Antrea implementation #2243

WireGuard on Antrea implementation #2243

Comments

xliuxu commented Jun 7, 2021 • edited Loading

Control Plane

antrea-init

antrea-agent

Data plane

Work breakdown

tnqn commented Aug 27, 2021

xliuxu commented Aug 27, 2021

xliuxu commented Jun 7, 2021 •

edited

Loading