United States | Encrypting Container Traffic with WireGuard

Sebastian Baszcyj - 17.04.202020200417

Encrypting Container Traffic with WireGuard

United States | Encrypting Container Traffic with WireGuard

I was thinking about the container traffic between several nodes and it occurred to me that unless someone uses TLS/SSL for specific services (like LDAPs or HTTPS), the rest of the services are not encrypted. So, I created this simple setup where it is possible to use WireGuard VPN to secure the traffic between the nodes and send it over the encrypted tunnel.

The process below demonstrates how to install and configure simple WireGuard on Fedora 31 and RHEL 8 servers.

Install WireGuard on Fedora 31

1. Log into your server and ensure you have sudo or root privileges

2. Update the server

​dnf –-refresh upgrade

3. Reboot the server/workstation to start with the latest kernel

4. Enable copr repository (Cool Other Package Repo)

dnf copr enable jdoss/wireguard

5. Install WireGuard packages (tools and dkms). This step should build dynamic modules for WireGuard

dnf install wireguard-dkms wireguard-tools

6. Try to add a new interface using ip link add command. This step should load the relevant WireGuard module to the kernel.

ip link add wg0 type wireguard
ip a

7. Verify if the interface is visible

ip address show dev wg0

 8. Create private and public keys for the WireGuard

mkdir -p /root/wireguard
cd /root/wireguard
umask 077; wg genkey > private; wg pubkey

9. Configure the interface with the internal ip address

ip link add wg0 type wireguard
ip addr add 10.0.0.1/24 dev wg0
ip link set up dev wg0

Install WireGuard on RHEL 8

1. Log into your server and ensure you have sudo or root privileges

2. Update the server

dnf –-refresh upgrade

3. Reboot the server/workstation to start with the latest kernel

4. Enable repository

dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
subscription-manager repos –enable codeready-builder-for-rhel-8-$(arch)-rpms
dnf copr enable jdoss/wireguard

5. Install WireGuard packages (tools and dkms). This step should build dynamic modules for WireGuard

dnf install wireguard-dkms wireguard-tools

6. Try to add a new interface using ip link add command. This step should load the relevant WireGuard module to the kernel.

ip link add wg0 type wireguard
ip a

7. Verify if the interface is visible

ip address show dev wg0

8. Create private and public keys for the WireGuard

mkdir -p /root/wireguard
cd /root/wireguard
umask 077; wg genkey > private; wg pubkey < private

9. Configure the interface with the internal ip address

ip link add wg0 type wireguard
ip addr add 10.0.0.2/24 dev wg0
ip link set up dev wg0

Configure WireGuard

1. Log in to both servers

2. Ensure the previous steps have been accomplished and there is interface wg0 with IP address assigned

ip addr show dev wg0

3. On both servers run the following command:

mkdir -p /etc/wireguard; touch /etc/wireguard/wg0.conf

4. On both servers run the following command:

wg

5. The command will return the output similar to this:

interface: wg0
listening port: 60316

6. Run the following command on both servers. This will set the port and set the public certificate

wg set wg0 listen-port 51820 private-key /root/wireguard/private

7. Run the following command on both servers:

wg

interface: wg0
public key: 9yOzarwDKiiIxRr+u+OfGb+jpHDwrTPSkZ1lpZ162kE=
private key: (hidden)
listening port: 51820

8. Set the tunnel on both servers (two-way tunnel). Run the following command on the Fedora server. Ensure the peer certificate has been copied from the RHEL server and IP addresses as well.

wg set wg0 peer 3BYw0h6PC0d2hEl5fcP5Km3NNTS2DFIjpADbl/xaZlo= allowed-ips
10.0.0.0/24 endpoint 192.168.100.37:51820

9. Set the tunnel on both servers (two-way tunnel). Run the following command on the RHEL server. Ensure the peer certificate has been copied from the RHEL server and IP addresses as well.

wg set wg0 peer 9yOzarwDKiiIxRr+u+OfGb+jpHDwrTPSkZ1lpZ162kE= allowed-ips
10.0.0.0/24 endpoint 192.168.100.66:51820

10. Open the firewall port on both servers to allow WireGuard communication. Remember WireGuard is using UDP protocol. You can use the following to create a new service:

# cat > /etc/firewalld/services/wireguard.xml << EOF

WIREGUARD

EOF

firewall-cmd –add-service=wireguard –permanent
firewall-cmd –add-service=wireguard
firewall-cmd –reload

11. Verify the communication between the peers

ping 10.0.0.2 or ping 10.0.0.1

12. The wg show command should provide the following information:

wg show
interface: wg0
public key: 9yOzarwDKiiIxRr+u+OfGb+jpHDwrTPSkZ1lpZ162kE=
private key: (hidden)
listening port: 51820

peer: 3BYw0h6PC0d2hEl5fcP5Km3NNTS2DFIjpADbl/xaZlo=
endpoint: 192.168.100.37:51820
allowed ips: 10.0.0.0/24
latest handshake: 3 minutes, 1 second ago
transfer: 1.80 KiB received, 1.71 KiB sent

13. Save the WireGuard configuration on both hosts:

wg-quick save wg0

Install Podman and Run the Container on the WireGuard Interface

1. Log into both servers

2. On both servers install Podman if it is not installed yet:

dnf install podman -y

3. Run any container image to check the functionality. For example – nginx on port 80

podman run -dt -p 80:80 –name mynginx nginx podman ps -a curl http://localhost:80

4. Delete all containers:

podman rm -f –all

5. Create the container listening on the WireGuard interface:

    • Verify the IP address assigned to WireGuard wg0 interface

ip addr show dev wg0 | grep inet | awk ‘{ print $2 }’

10.0.0.1/24

    • Run the Podman container on the WireGuard interface on Fedora server

podman run -dt -p 10.0.0.1:80:80 –name mynginx Nginx
podman port mynginx

80/tcp -> 10.0.0.1:80

    • Verify if you can still connect to port 80/tcp on localhost

# curl http://localhost:80
curl: (7) Failed to connect to localhost port 80: Connection refused

    • Verify if you can connect to port 80/tcp on 10.0.0.1 (WireGuard interface):

United States | Encrypting Container Traffic with WireGuard

    • Open port 80/tcp on the firewall:

firewall-cmd –add-service=http –permanent
firewall-cmd –add-service=http
firewall-cmd –reload

    • From the RHEL node, try to connect to port 80/tcp using the Fedora host IP (192.168.100.66 in my case):

# curl http://192.168.100.66:80
curl: (7) Failed to connect to 192.168.100.66 port 80: No route to host

    • From the RHEL node, try to connect to port 80/tcp using the WireGuard IP (10.0.0.1 in my case):

United States | Encrypting Container Traffic with WireGuard

podman run -dt -p 10.0.0.2:80:80 –name mynginx Nginx

podman port mynginx

80/tcp -> 10.0.0.2:80

    • Start /bin/bash in the container on Fedora server

# podman exec -it mynginx /bin/bash

    • In the command line of the container curl with the WireGuard IP address of the RHEL server and the port forwarded to the container:

United States | Encrypting Container Traffic with WireGuard

Should you have any questions – please do not hesitate to reach out.

THANK YOU FOR YOUR SUBMISSION!

United States | Encrypting Container Traffic with WireGuard

The form was submitted successfully.

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

If you’re waiting for a sign, this is it.

We’re a certified amazing place to work, with an incredible team and fascinating projects – and we’re ready for you to join us! Go through our simple application process. Once you’re done, we will be in touch shortly!

Who is Insentra?

Imagine a business which exists to help IT Partners & Vendors grow and thrive.

Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

United States | Encrypting Container Traffic with WireGuard

Insentra ISO 27001:2013 Certification

SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the  ISO 27001 Certification.