{"id":2112,"date":"2020-04-17T01:00:00","date_gmt":"2020-04-17T01:00:00","guid":{"rendered":"http:\/\/inswwdev.azurewebsites.net\/au\/insights\/uncategorized\/encrypting-container-traffic-with-wireguard\/"},"modified":"2024-12-13T02:23:36","modified_gmt":"2024-12-13T02:23:36","slug":"encrypting-container-traffic-with-wireguard","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/au\/insights\/geek-speak\/professional-services\/encrypting-container-traffic-with-wireguard\/","title":{"rendered":"Encrypting Container Traffic with WireGuard"},"content":{"rendered":"

I was thinking about the container traffic between several nodes and it occurred to me that unless someone uses TLS\/SSL for specific services (like LDAPs or HTTPS), the rest of the services are not encrypted. So, I created this simple setup where it is possible to use WireGuard VPN to secure the traffic between the nodes and send it over the encrypted tunnel. <\/span><\/p>\n

The process below demonstrates how to install and configure simple WireGuard on Fedora 31 and RHEL 8 servers.<\/span><\/p>\n

Install WireGuard on Fedora 31<\/h3>\n

1. Log into your server and ensure you have sudo or root privileges <\/span><\/p>\n

2. Update the server<\/span><\/p>\n

\u200bdnf \u2013-refresh upgrade<\/span><\/p>\n

3. Reboot the server\/workstation to start with the latest kernel<\/span><\/p>\n

4. Enable copr repository (Cool Other Package Repo)<\/span><\/p>\n

dnf copr enable jdoss\/wireguard<\/span><\/p>\n

5. Install WireGuard packages (tools and dkms). This step should build dynamic modules for WireGuard<\/span><\/p>\n

dnf install wireguard-dkms wireguard-tools<\/span><\/p>\n

6. Try to add a new interface using ip link add command. This step should load the relevant WireGuard module to the kernel. <\/span><\/p>\n

ip link add wg0 type wireguard
ip a <\/span><\/p>\n

7. Verify if the interface is visible<\/span><\/p>\n

ip address show dev wg0 <\/span><\/p>\n

\u00a08. Create private and public keys for the WireGuard<\/p>\n

mkdir -p \/root\/wireguard
cd \/root\/wireguard
umask 077; wg genkey > private; wg pubkey <\/span><\/p>\n

9. Configure the interface with the internal ip address<\/p>\n

ip link add wg0 type wireguard
ip addr add 10.0.0.1\/24 dev wg0
ip link set up dev wg0 <\/span><\/p>\n

Install WireGuard on RHEL 8<\/h3>\n

1. Log into your server and ensure you have sudo or root privileges <\/span><\/p>\n

2. Update the server<\/span><\/p>\n

dnf \u2013-refresh upgrade <\/span><\/p>\n

3. Reboot the server\/workstation to start with the latest kernel<\/span><\/p>\n

4. Enable repository <\/span><\/p>\n

dnf install https:\/\/dl.fedoraproject.org\/pub\/epel\/epel-release-latest-8.noarch.rpm
subscription-manager repos –enable codeready-builder-for-rhel-8-$(arch)-rpms
dnf copr enable jdoss\/wireguard<\/span><\/p>\n

5. Install WireGuard packages (tools and dkms). This step should build dynamic modules for WireGuard<\/span><\/p>\n

dnf install wireguard-dkms wireguard-tools<\/span><\/p>\n

6. Try to add a new interface using ip link add command. This step should load the relevant WireGuard module to the kernel. <\/span><\/p>\n

ip link add wg0 type wireguard
ip a<\/span><\/p>\n

7. Verify if the interface is visible<\/span><\/p>\n

ip address show dev wg0<\/span><\/p>\n

8. Create private and public keys for the WireGuard<\/span><\/p>\n

mkdir -p \/root\/wireguard
cd \/root\/wireguard
umask 077; wg genkey > private; wg pubkey < private <\/span><\/p>\n

9. Configure the interface with the internal ip address <\/span><\/p>\n

ip link add wg0 type wireguard
ip addr add 10.0.0.2\/24 dev wg0
ip link set up dev wg0 <\/span><\/p>\n

Configure WireGuard<\/h3>\n

1. Log in to both servers<\/span><\/p>\n

2. Ensure the previous steps have been accomplished and there is interface wg0 with IP address assigned<\/span><\/p>\n

ip addr show dev wg0<\/span><\/p>\n

3. On both servers run the following command: <\/span><\/p>\n

mkdir -p \/etc\/wireguard; touch \/etc\/wireguard\/wg0.conf<\/span><\/p>\n

4. On both servers run the following command: <\/span><\/p>\n

wg<\/span><\/p>\n

5. The command will return the output similar to this: <\/span><\/p>\n

interface: wg0
listening port: 60316 <\/span><\/p>\n

6. Run the following command on both servers. This will set the port and set the public certificate<\/span><\/p>\n

wg set wg0 listen-port 51820 private-key \/root\/wireguard\/private<\/span><\/p>\n

7. Run the following command on both servers: <\/span><\/p>\n

wg <\/p>\n

interface: wg0
public key: 9yOzarwDKiiIxRr+u+OfGb+jpHDwrTPSkZ1lpZ162kE=
private key: (hidden)
listening port: 51820 <\/span><\/p>\n

8. Set the tunnel on both servers (two-way tunnel). Run the following command on the Fedora server. Ensure the peer certificate has been copied from the RHEL server and IP addresses as well. <\/span><\/p>\n

wg set wg0 peer 3BYw0h6PC0d2hEl5fcP5Km3NNTS2DFIjpADbl\/xaZlo= allowed-ips
10.0.0.0\/24 endpoint 192.168.100.37:51820<\/span><\/p>\n

9. Set the tunnel on both servers (two-way tunnel). Run the following command on the RHEL server. Ensure the peer certificate has been copied from the RHEL server and IP addresses as well. <\/span><\/p>\n

wg set wg0 peer 9yOzarwDKiiIxRr+u+OfGb+jpHDwrTPSkZ1lpZ162kE= allowed-ips
10.0.0.0\/24 endpoint 192.168.100.66:51820<\/span><\/p>\n

10. Open the firewall port on both servers to allow WireGuard communication. Remember WireGuard is using UDP protocol. You can use the following to create a new service: <\/span><\/p>\n

# cat > \/etc\/firewalld\/services\/wireguard.xml << EOF <\/p>\n

WIREGUARD <\/p>\n

EOF <\/span><\/p>\n

firewall-cmd –add-service=wireguard –permanent
firewall-cmd –add-service=wireguard
firewall-cmd –reload <\/span><\/p>\n

11. Verify the communication between the peers <\/span><\/p>\n

ping 10.0.0.2 or ping 10.0.0.1<\/span><\/p>\n

12. The wg show command should provide the following information: <\/span><\/p>\n

wg show
interface: wg0
public key: 9yOzarwDKiiIxRr+u+OfGb+jpHDwrTPSkZ1lpZ162kE=
private key: (hidden)
listening port: 51820 <\/p>\n

peer: 3BYw0h6PC0d2hEl5fcP5Km3NNTS2DFIjpADbl\/xaZlo=
endpoint: 192.168.100.37:51820
allowed ips: 10.0.0.0\/24
latest handshake: 3 minutes, 1 second ago
transfer: 1.80 KiB received, 1.71 KiB sent <\/span><\/p>\n

13. Save the WireGuard configuration on both hosts: <\/span><\/p>\n

wg-quick save wg0<\/span><\/p>\n

Install Podman and Run the Container on the WireGuard Interface<\/h3>\n

1. Log into both servers<\/span><\/p>\n

2. On both servers install Podman if it is not installed yet: <\/span><\/p>\n

dnf install podman -y <\/span><\/p>\n

3. Run any container image to check the functionality. For example \u2013 nginx on port 80<\/span><\/p>\n

podman run -dt -p 80:80 –name mynginx nginx podman ps -a curl http:\/\/localhost:80 <\/span><\/p>\n

4. Delete all containers: <\/span><\/p>\n

podman rm -f –all<\/span><\/p>\n

5. Create the container listening on the WireGuard interface: <\/span><\/p>\n