# WireGuard Cable Driver
[WireGuard](https://www.wireguard.com "WireGuard homepage") is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.
Traffic is encrypted and encapsulated in UDP packets.
## Driver design
- WireGuard creates a virtual network device that is accessed via netlink. It appears like any network device and currently has a hardcoded
name `subwg0`.
- WireGuard identifies peers by their cryptographic public key without the need to exchange shared secrets. The owner of the public key must
have the corresponding private key to prove identity.
- The driver creates the key pair and adds the public key to the local endpoint so other clusters can connect. Like `ipsec`, the node IP
address is used as the endpoint udp address of the WireGuard tunnels. A fixed port is used for all endpoints.
- The driver adds routing rules to redirect cross cluster communication through the virtual network device `subwg0`. (*note: this is
different from `ipsec`, which intercepts packets at netfilter level.*)
- The driver uses [`wgctrl`](https://github.com/WireGuard/wgctrl-go "WgCtrl github"), a go package that enables control of WireGuard devices
on multiple platforms. Link creation and removal are done through [`netlink`](https://github.com/vishvananda/netlink "Netlink github").
Currently assuming Linux Kernel WireGuard (`wgtypes.LinuxKernel`).
## Installation
- WireGuard needs to be [installed](https://www.wireguard.com/install "WireGuard installation instructions") on the gateway nodes. For
example, (Ubuntu < 19.04),
```shell
sudo add-apt-repository ppa:wireguard/wireguard
sudo apt-get update
sudo apt-get install linux-headers-`uname -r` -y
sudo apt-get install wireguard
```
- The driver needs to be enabled with
```shell
bin/subctl join --cable-driver wireguard --disable-nat broker-info.subm
```
- The default UDP listen port for submariner WireGuard driver is `4500`. It can be changed by setting the env var `CE_IPSEC_NATTPORT`
- It is assumed that the wireguard network device named `submariner` is exclusively used by submariner-gateway and should not be edited manually.
## Troubleshooting, limitations
- If you get the following message
```text
Fatal error occurred creating engine: failed to add wireguard device: operation not supported
```
you probably did not install WireGuard on the Gateway node.
- The e2e tests can be run with WireGuard by calling `make e2e` with `using=wireguard`:
```shell
make e2e using=wireguard
```
- No new `iptables` rules were added, although source NAT needs to be disabled for cross cluster communication. This is similar to disabling
SNAT when sending cross-cluster traffic between nodes to `submariner-gateway`, so the existing rules should be enough. **The driver will
fail if the CNI does SNAT before routing to Wireguard** (e.g., failed with Calico, works with Flannel).
## Monitoring
The following metrics are exposed per gateway:
- `connection_status`: indicates whether or not the connection is established where the value 1 means connected and 0 means disconnected.
- `connection_established_timestamp` the Unix timestamp at which the connection established.
- `gateway_tx_bytes` Bytes transmitted for the connection.
- `gateway_rx_bytes` Bytes received for the connection.
没有合适的资源?快使用搜索试试~ 我知道了~
Submariner是一种用于连接不同Kubernetes集群的overlay网络的工具
共300个文件
go:238个
yml:19个
md:14个
1.该资源内容由用户上传,如若侵权请联系客服进行举报
2.虚拟产品一经售出概不退款(资源遇到问题,请及时私信上传者)
2.虚拟产品一经售出概不退款(资源遇到问题,请及时私信上传者)
版权申诉
0 下载量 92 浏览量
2023-12-18
15:21:39
上传
评论
收藏 514KB ZIP 举报
温馨提示
Submariner是一种用于连接不同Kubernetes集群的overlay网络的工具。 Submariner 被设计为与网络插件 (CNI) 无关,并支持加密和 连接的集群之间的非加密隧道。Submariner 是一个云原生计算基金会沙盒项目
资源推荐
资源详情
资源评论
收起资源包目录
Submariner是一种用于连接不同Kubernetes集群的overlay网络的工具 (300个子文件)
codegen 1KB
CODEOWNERS 478B
staticcheck.conf 64B
dnf_install 2KB
.gitignore 175B
natdiscovery.pb.go 26KB
gateway_monitor.go 24KB
controllers_suite_test.go 22KB
zz_generated.deepcopy.go 22KB
ipset.go 20KB
global_egressip_controller_test.go 19KB
libreswan.go 19KB
gn_connectivity.go 18KB
global_ingressip_controller_test.go 18KB
syncer_test.go 17KB
vxlan.go 15KB
service_export_controller_test.go 15KB
gateway_test.go 15KB
driver.go 14KB
cluster_egressip_controller_test.go 14KB
sync_handler_test.go 14KB
global_ingressip_controller.go 13KB
global_egressip_controller.go 13KB
iface.go 12KB
cableengine_test.go 12KB
gateway.go 12KB
types.go 12KB
natdiscovery_internal_test.go 12KB
connection.go 11KB
datastoresyncer.go 11KB
gateway_monitor_test.go 10KB
gateway_failover.go 10KB
mtuhandler.go 10KB
cableengine.go 10KB
netlink.go 10KB
cluster_egressip_controller.go 10KB
connectivity.go 9KB
routes_iface.go 9KB
dataplane.go 9KB
datastore_endpoint_sync_test.go 9KB
factory.go 9KB
ippool_test.go 9KB
vxlan.go 9KB
gateway_dataplane.go 8KB
syncer.go 8KB
uninstall.go 8KB
base_controllers.go 8KB
netlink.go 8KB
node_controller.go 8KB
handler.go 8KB
main.go 8KB
local_endpoint.go 8KB
clusterglobalegressip.go 8KB
service_export_controller.go 7KB
request_handle_internal_test.go 7KB
globalingressip.go 7KB
healthchecker_test.go 7KB
globalegressip.go 7KB
types.go 7KB
datastoresyncer_suite_test.go 7KB
registry.go 7KB
public_ip.go 7KB
nongatewayroute.go 6KB
ingress_endpoints_controller.go 6KB
ipset.go 6KB
remote_endpoint_internal_test.go 6KB
remote_endpoint.go 6KB
fake_clusterglobalegressip.go 6KB
gatewayroute.go 6KB
registry_test.go 6KB
ippool_handler.go 6KB
tcp_gn_pod_connectivity.go 6KB
metrics.go 6KB
controller_test.go 6KB
node_controller_test.go 6KB
endpoint.go 6KB
getconnections.go 6KB
gateway.go 6KB
cluster.go 6KB
fake_globalingressip.go 6KB
fake_globalegressip.go 6KB
iptables.go 6KB
main.go 6KB
natdiscovery.go 5KB
public_ip_internal_test.go 5KB
public_ip_watcher_test.go 5KB
iptables_iface.go 5KB
main.go 5KB
non_gateway_route_handler.go 5KB
endpoint_handler.go 5KB
fake_nongatewayroute.go 5KB
pinger.go 5KB
tunnel_test.go 5KB
healthchecker.go 5KB
adapter.go 5KB
fake_gatewayroute.go 5KB
ingress_pod_controller.go 5KB
request_handle.go 5KB
fake_endpoint.go 5KB
leader_election.go 5KB
共 300 条
- 1
- 2
- 3
资源评论
Java程序员-张凯
- 粉丝: 1w+
- 资源: 6828
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功