0

Problem

I am currently trying to VPN tunnel nodes of my LAN with a node outside of my LAN (Inside a data center). For that, i was trying to use K3S. Sadly i cant ping the worker (inside lan) over the master (outside lan). Pinging between worker nodes work (both inside lan).

Reproduce

To install k3s i used the command curl -sfL https://get.k3s.io | sh -s - --flannel-backend=none --disable traefik whilst also to remove flannel and disable traefik.

To install calico i downloaded the manifest via curl https://docs.projectcalico.org/manifests/calico.yaml -O and edited the conf list to allow ip_forwarding:

{
  "name": "k8s-pod-network",
  "cniVersion": "0.3.1",
  "plugins": [
    {
      "type": "calico",
      "log_level": "info",
      "log_file_path": "/var/log/calico/cni/cni.log",
      "datastore_type": "kubernetes",
      "nodename": "NODE_NAME",
      "mtu": 0,
      "ipam": {
          "type": "calico-ipam"
      },
      "policy": {
          "type": "k8s"
      },
      "kubernetes": {
          "kubeconfig": "/etc/cni/net.d/calico-kubeconfig"
      },
      "container_settings": { "allow_ip_forwarding": true }
    },
    {
      "type": "portmap",
      "snat": true,
      "capabilities": {"portMappings": true}
    },
    {
      "type": "bandwidth",
      "capabilities": {"bandwidth": true}
    }
  ]
}

And executed the command sudo sysctl net.ipv4.ip_forward=1 on every node.

To enable Wireguard, i farely followed the instructions on https://docs.projectcalico.org/security/encrypt-cluster-pod-traffic and installed wireguard via
apt-get install wireguard
on every node, downloaded calicoctl via
curl -o calicoctl -O -L "https://github.com/projectcalico/calicoctl/releases/download/v3.20.2/calicoctl"
and made it executable with
chmod +x calicoctl.
After that i enabeled Wireguard with the command
./calicoctl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabled":true}}'.

After that, i installed the nginx-ingress with the yaml manifest
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.4/deploy/static/provider/cloud/deploy.yaml.
I joined every node inside my lan to the master outside of my lan with
curl -sfL https://get.k3s.io | K3S_URL=https://IP:6443 K3S_TOKEN=TOKEN sh -
Every node had a VPN-tunnel ip adress and pods were run on the vpn adresses. The internal-ip of every node was its own ip adress (nodes inside my lan got ip-adress of the lan and the ones outside lan got public ip adresses).

NetTypicalGuy
  • 1

0 Answers0