sumarsono.com
Take it with a grain of salt

Kubernetes Wireguard Pakai Wg Easy

Posted on

WireGuard Easy, The easiest way to run WireGuard VPN + Web-based Admin UI.

Karena belum ada yang share cara deploy wg-easy ke kubernetes selain pakai helm, maka aku tulis ini. Sekadar catatan bagaimana aku deploy wireguard VPN diatas kubernetes.

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: wg-easy-pvc
  namespace: wireguard
spec:
  storageClassName: openebs-data
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 0.25Gi
      
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: wg-easy
  namespace: wireguard
  labels:
    app: wg-easy
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: wg-easy
  template:
    metadata:
      labels:
        app: wg-easy
    spec:
      restartPolicy: Always
      initContainers:
      - name: init
        image: busybox:1.32.0
        command:
        - sh
        - -c
        - sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.forwarding=1
        securityContext:
          privileged: true
          capabilities:
            add:
            - NET_ADMIN
      containers:
      - name: wg-easy
        image: weejewel/wg-easy
        securityContext:
          privileged: true
          capabilities:
            add:
            - NET_ADMIN
        ports:
        - containerPort: 51820
          protocol: UDP
          name: wg
        - containerPort: 51821
          protocol: TCP
          name: wg-dashboard
        env:
        - name: WG_HOST
          value: "sub.domain.tld"
        - name: PASSWORD
          value: "your-dashboard-password"
        - name: WG_DEFAULT_DNS
          value: "8.8.8.8"
        # - name: "WG_PORT"
        #   value: "51820"
        # - name: "WG_DEFAULT_ADDRESS"
        #   value: "10.8.0.x"
        # - name: "WG_MTU"
        #   value: "1420"
        # - name: "WG_ALLOWED_IPS"
        #   value: "192.168.15.0/24, 10.0.1.0/24"
        resources:
          requests:
            memory: "64Mi"
            cpu: "150m"
          limits:
            memory: "128Mi"
        volumeMounts:
        - name: wg-easy-data
          mountPath: /etc/wireguard
      volumes:
      - name: wg-easy-data
        persistentVolumeClaim:
          claimName: wg-easy-pvc

---
apiVersion: v1
kind: Service
metadata:
  name: wg-easy
  namespace: wireguard
  labels:
    app: wg-easy
spec:
  type: NodePort
  selector:
    app: wg-easy
  ports:
  - port: 51820
    targetPort: wg
    # expose wireguard UDP port via nodePort
    # When import config to client, you must edit the peer port to 30001
    nodePort: 30001
    protocol: UDP

---
apiVersion: v1
kind: Service
metadata:
  name: wg-easy-dashboard
  namespace: wireguard
  labels:
    app: wg-easy
spec:
  selector:
    app: wg-easy
  ports:
  - port: 51821
    targetPort: wg-dashboard

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wg-easy-dashboard
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    cert-manager.io/cluster-issuer: "production-issuer"

spec:
  ingressClassName: nginx
  rules:
  - host: sub.domain.tld
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: wg-easy-dashboard
            port:
              number: 51821
  tls:
  - hosts:
    - sub.domain.tld
    secretName: sub.domain.tld-cert