Route traffic via gateway host into your cluster.
Use another host as a gateway to route traffic into your cluster. This is useful if you have a host that is publicly accessible and you want to route traffic into your cluster without exposing your cluster to the public internet or forwarding ports on your home network.
Suppose you have a service inside your cluster which the reverse proxy resolves
to svc0.mydomain.com
and a DNS record for this service that points to the
public IP of the host acting as the gateway. Then, the following happens:
svc0.mydomain.com
.The following packages are required:
The following ports need to be open:
[Interface]
# servers ip in VPN network
Address = 10.1.10.1
PrivateKey = <privkey>
# port to open for inbound connections
ListenPort = 51820
# Peer = cluster
[Peer]
# public key of the cluster client
PublicKey = <pubkey>
# the IP and mask the client should be assigned
AllowedIPs = 10.1.10.2/32
# ...
# bind to the public ip of the host
frontend http
bind 0.0.0.0:80
mode tcp
default_backend backend-http
frontend https
bind 0.0.0.0:443
mode tcp
default_backend backend-https
backend backend-http
mode tcp
# vpn ip of peer (cluster) and add proxy protocol headers
server clustervpn 10.1.10.2:80 send-proxy-v2
backend backend-https
mode tcp
# vpn ip of peer (cluster) and add proxy protocol headers
server clustervpn 10.1.10.2:443 send-proxy-v2
Install this helm chart on your cluster and configure it using the following:
apiVersion: v1
kind: Secret
metadata:
name: wireguard
namespace: some-namespace
type: Opaque
stringData:
wg0.conf: |
[Interface]
# ip of client in vpn network
Address = 10.1.10.2
PrivateKey = <privkey>
# Peer = Gateway
[Peer]
# public key of the gateway
PublicKey = <pubkey>
# this can be the public ip or domain pointing of the gateway
Endpoint = mydomain.com:51820
# allow entire subnet
AllowedIPs = 10.1.10.2/24
# keep the connection alive
PersistentKeepalive = 25
apiVersion: v1
kind: ConfigMap
metadata:
name: haproxy-config
namespace: some-namespace
data:
haproxy.cfg: |
frontend vpn_frontend_http
# accept proxy protocol headers ("passthrough")
bind 10.1.10.2:80 accept-proxy
mode tcp
default_backend cluster_backend_http
frontend vpn_frontend_https
# accept proxy protocol headers ("passthrough")
bind 10.1.10.2:443 accept-proxy
mode tcp
default_backend cluster_backend_https
backend cluster_backend_http
mode tcp
# Forward traffic to reverse proxy via cluster dns with proxy headers
server cluster_dns reverse-proxy.some-namespace.svc.cluster.local:80 send-proxy-v2
backend cluster_backend_https
mode tcp
# Forward traffic to reverse proxy via cluster dns with proxy headers
server cluster_dns reverse-proxy.some-namespace.svc.cluster.local:443 send-proxy-v2
Make sure to accept proxy protocol headers in your reverse proxy configuration from the IP of the wg-punchhole pod or the internal Kubernetes subnet.