Add VPN/WG support to Virtual Router #68
Comments
sk4zuzu
added a commit
that referenced
this issue
Mar 28, 2024
- Add onewg VPN admin tool - Add Service::WireGuard feature to VR - Adjust Service::Failover accordingly
sk4zuzu
added a commit
that referenced
this issue
Mar 28, 2024
- Add onewg VPN admin tool - Add Service::WireGuard feature to VR - Adjust Service::Failover accordingly - Add basic JSON schema validation
sk4zuzu
added a commit
that referenced
this issue
Mar 29, 2024
- Add onewg VPN admin tool - Add Service::WireGuard feature to VR - Adjust Service::Failover accordingly - Add basic JSON schema validation
sk4zuzu
added a commit
that referenced
this issue
Mar 29, 2024
- Add onewg VPN admin tool - Add Service::WireGuard feature to VR - Adjust Service::Failover accordingly - Add basic JSON schema validation
sk4zuzu
added a commit
that referenced
this issue
Mar 29, 2024
- Add onewg VPN admin tool - Add Service::WireGuard feature to VR - Adjust Service::Failover accordingly - Add basic JSON schema validation
rsmontero
added a commit
that referenced
this issue
May 5, 2024
rsmontero
added a commit
that referenced
this issue
May 6, 2024
Configuration (server-side) is stored in virtual router VMs using: - ONEAPP_VNF_WG_SERVER wg0.conf file base64 encoded - ONEAPP_VNF_WG_SERVER_TIMESTAMP when file was generated Virtual router will reuse this configuration if present in any of the virtual router VMs. State is managed through onegate, thus required to run the WG service
rsmontero
added a commit
that referenced
this issue
May 8, 2024
WG support allows you to setup a VPN with one of the "internal" subnets
attached to the VR.
Configuration
-------------
Sample configuration minimal (with 5 peers):
CONTEXT = [
...
ONEAPP_VNF_WG_ENABLED = "YES",
ONEAPP_VNF_WG_INTERFACE_OUT = "eth0",
ONEAPP_VNF_WG_INTERFACE_IN = "eth1",
...
]
Configuration parameters:
- ONEAPP_VNF_WG_ENABLED. Enables the service
- ONEAPP_VNF_WG_INTERFACE_OUT. The NIC to connect clients, its IP will be the service endpoint (MANDATORY)
- ONEAPP_VNF_WG_INTERFACE_IN. The NIC to connect to the private subnet (MANDATORY)
- ONEAPP_VNF_WG_LISTEN_PORT. Listen port number, defaults to 51820
- ONEAPP_VNF_WG_DEVICE. WG device name, defaults to wg0
- ONEAPP_VNF_WG_PEERS. Number of peers, it will generate peer configuration and associated keys
- ONEAPP_VNF_WG_SUBNET. Subnet used to interconnect WG peers these address should not be part of an OpenNebula virtual network. Defaults to '169.254.33.0/24'
Once the VR is running peer configuratio is stored in the VM USER
TEMPLATE as:
- ONEAPP_VNF_WG_SERVER for the WG server (VR)
- ONEAPP_VNF_WG_PEER<number>, e.g. ONEAPP_VNF_WG_PEER0
The information is base64 encoded.
Requirements
------------
- onegate is needed to publish the peers configuration
- peer subnet should not collide with the OpenNebula Vnet address
ranges. The provided default should be safe for most cases.
- can run in standalone mode (i.e. as a VM) or as a full virtual router
Internal
--------
- A onewg tool is included to manage configurations. Not used by current
implementation
- Add Service::WireGuard feature to VR
- Adjust Service::Failover accordingly
- New method to get subnet addresses by nic
co-authored-by: Michal Opala <mopala@opennebula.io>
rsmontero
added a commit
that referenced
this issue
May 9, 2024
ONEAPP_VNF_WG_PEERx -> ONEGATE_VNF_WG_PEERx ONEAPP_VNF_WG_SERVER_TIMESTAMP -> ONEGATE_VNF_WG_SERVER_TIMESTAMP ONEAPP_VNF_WG_SERVER -> ONEGATE_VNF_WG_SERVER This follows the convention used in other apps, so ONEAPP_* are set by the user in context, and ONEGATE_* are dynamic generated by the apps. This commits also removes onewg tool
Aletibazo
pushed a commit
to Aletibazo/one-apps
that referenced
this issue
May 16, 2024
WG support allows you to setup a VPN with one of the "internal" subnets
attached to the VR.
Configuration
-------------
Sample configuration minimal (with 5 peers):
CONTEXT = [
...
ONEAPP_VNF_WG_ENABLED = "YES",
ONEAPP_VNF_WG_INTERFACE_OUT = "eth0",
ONEAPP_VNF_WG_INTERFACE_IN = "eth1",
...
]
Configuration parameters:
- ONEAPP_VNF_WG_ENABLED. Enables the service
- ONEAPP_VNF_WG_INTERFACE_OUT. The NIC to connect clients, its IP will be the service endpoint (MANDATORY)
- ONEAPP_VNF_WG_INTERFACE_IN. The NIC to connect to the private subnet (MANDATORY)
- ONEAPP_VNF_WG_LISTEN_PORT. Listen port number, defaults to 51820
- ONEAPP_VNF_WG_DEVICE. WG device name, defaults to wg0
- ONEAPP_VNF_WG_PEERS. Number of peers, it will generate peer configuration and associated keys
- ONEAPP_VNF_WG_SUBNET. Subnet used to interconnect WG peers these address should not be part of an OpenNebula virtual network. Defaults to '169.254.33.0/24'
Once the VR is running peer configuratio is stored in the VM USER
TEMPLATE as:
- ONEAPP_VNF_WG_SERVER for the WG server (VR)
- ONEAPP_VNF_WG_PEER<number>, e.g. ONEAPP_VNF_WG_PEER0
The information is base64 encoded.
Requirements
------------
- onegate is needed to publish the peers configuration
- peer subnet should not collide with the OpenNebula Vnet address
ranges. The provided default should be safe for most cases.
- can run in standalone mode (i.e. as a VM) or as a full virtual router
Internal
--------
- A onewg tool is included to manage configurations. Not used by current
implementation
- Add Service::WireGuard feature to VR
- Adjust Service::Failover accordingly
- New method to get subnet addresses by nic
co-authored-by: Michal Opala <mopala@opennebula.io>
Aletibazo
pushed a commit
to Aletibazo/one-apps
that referenced
this issue
May 16, 2024
ONEAPP_VNF_WG_PEERx -> ONEGATE_VNF_WG_PEERx ONEAPP_VNF_WG_SERVER_TIMESTAMP -> ONEGATE_VNF_WG_SERVER_TIMESTAMP ONEAPP_VNF_WG_SERVER -> ONEGATE_VNF_WG_SERVER This follows the convention used in other apps, so ONEAPP_* are set by the user in context, and ONEGATE_* are dynamic generated by the apps. This commits also removes onewg tool
|
closing, will improve the UX in a more general approach here OpenNebula/one#6618 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
No description provided.
The text was updated successfully, but these errors were encountered: