I was thinking about the container traffic between several nodes and it occurred to me that unless someone uses TLS/SSL for specific services (like LDAPs or HTTPS), the rest of the services are not encrypted. So, I created this simple setup where it is possible to use WireGuard VPN to secure the traffic between the nodes and send it over the encrypted tunnel.
The process below demonstrates how to install and configure simple WireGuard on Fedora 31 and RHEL 8 servers.
Install WireGuard on Fedora 31
1. Log into your server and ensure you have sudo or root privileges
2. Update the server
dnf –-refresh upgrade
3. Reboot the server/workstation to start with the latest kernel
4. Enable copr repository (Cool Other Package Repo)
dnf copr enable jdoss/wireguard
5. Install WireGuard packages (tools and dkms). This step should build dynamic modules for WireGuard
dnf install wireguard-dkms wireguard-tools
6. Try to add a new interface using ip link add command. This step should load the relevant WireGuard module to the kernel.
ip link add wg0 type wireguard
ip a
7. Verify if the interface is visible
ip address show dev wg0
8. Create private and public keys for the WireGuard
mkdir -p /root/wireguard
cd /root/wireguard
umask 077; wg genkey > private; wg pubkey
9. Configure the interface with the internal ip address
ip link add wg0 type wireguard
ip addr add 10.0.0.1/24 dev wg0
ip link set up dev wg0
Install WireGuard on RHEL 8
1. Log into your server and ensure you have sudo or root privileges
2. Update the server
dnf –-refresh upgrade
3. Reboot the server/workstation to start with the latest kernel
4. Enable repository
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
subscription-manager repos –enable codeready-builder-for-rhel-8-$(arch)-rpms
dnf copr enable jdoss/wireguard
5. Install WireGuard packages (tools and dkms). This step should build dynamic modules for WireGuard
dnf install wireguard-dkms wireguard-tools
6. Try to add a new interface using ip link add command. This step should load the relevant WireGuard module to the kernel.
ip link add wg0 type wireguard
ip a
7. Verify if the interface is visible
ip address show dev wg0
8. Create private and public keys for the WireGuard
mkdir -p /root/wireguard
cd /root/wireguard
umask 077; wg genkey > private; wg pubkey < private
9. Configure the interface with the internal ip address
ip link add wg0 type wireguard
ip addr add 10.0.0.2/24 dev wg0
ip link set up dev wg0
Configure WireGuard
1. Log in to both servers
2. Ensure the previous steps have been accomplished and there is interface wg0 with IP address assigned
ip addr show dev wg0
3. On both servers run the following command:
mkdir -p /etc/wireguard; touch /etc/wireguard/wg0.conf
4. On both servers run the following command:
wg
5. The command will return the output similar to this:
interface: wg0
listening port: 60316
6. Run the following command on both servers. This will set the port and set the public certificate
wg set wg0 listen-port 51820 private-key /root/wireguard/private
7. Run the following command on both servers:
wg
interface: wg0
public key: 9yOzarwDKiiIxRr+u+OfGb+jpHDwrTPSkZ1lpZ162kE=
private key: (hidden)
listening port: 51820
8. Set the tunnel on both servers (two-way tunnel). Run the following command on the Fedora server. Ensure the peer certificate has been copied from the RHEL server and IP addresses as well.
wg set wg0 peer 3BYw0h6PC0d2hEl5fcP5Km3NNTS2DFIjpADbl/xaZlo= allowed-ips
10.0.0.0/24 endpoint 192.168.100.37:51820
9. Set the tunnel on both servers (two-way tunnel). Run the following command on the RHEL server. Ensure the peer certificate has been copied from the RHEL server and IP addresses as well.
wg set wg0 peer 9yOzarwDKiiIxRr+u+OfGb+jpHDwrTPSkZ1lpZ162kE= allowed-ips
10.0.0.0/24 endpoint 192.168.100.66:51820
10. Open the firewall port on both servers to allow WireGuard communication. Remember WireGuard is using UDP protocol. You can use the following to create a new service:
# cat > /etc/firewalld/services/wireguard.xml << EOF
WIREGUARD
EOF
firewall-cmd –add-service=wireguard –permanent
firewall-cmd –add-service=wireguard
firewall-cmd –reload
11. Verify the communication between the peers
ping 10.0.0.2 or ping 10.0.0.1
12. The wg show command should provide the following information:
wg show
interface: wg0
public key: 9yOzarwDKiiIxRr+u+OfGb+jpHDwrTPSkZ1lpZ162kE=
private key: (hidden)
listening port: 51820
peer: 3BYw0h6PC0d2hEl5fcP5Km3NNTS2DFIjpADbl/xaZlo=
endpoint: 192.168.100.37:51820
allowed ips: 10.0.0.0/24
latest handshake: 3 minutes, 1 second ago
transfer: 1.80 KiB received, 1.71 KiB sent
13. Save the WireGuard configuration on both hosts:
wg-quick save wg0
Install Podman and Run the Container on the WireGuard Interface
1. Log into both servers
2. On both servers install Podman if it is not installed yet:
dnf install podman -y
3. Run any container image to check the functionality. For example – nginx on port 80
podman run -dt -p 80:80 –name mynginx nginx podman ps -a curl http://localhost:80
4. Delete all containers:
podman rm -f –all
5. Create the container listening on the WireGuard interface:
-
- Verify the IP address assigned to WireGuard wg0 interface
ip addr show dev wg0 | grep inet | awk ‘{ print $2 }’
10.0.0.1/24
-
- Run the Podman container on the WireGuard interface on Fedora server
podman run -dt -p 10.0.0.1:80:80 –name mynginx Nginx
podman port mynginx
80/tcp -> 10.0.0.1:80
-
- Verify if you can still connect to port 80/tcp on localhost
# curl http://localhost:80
curl: (7) Failed to connect to localhost port 80: Connection refused
-
- Verify if you can connect to port 80/tcp on 10.0.0.1 (WireGuard interface):
-
- Open port 80/tcp on the firewall:
firewall-cmd –add-service=http –permanent
firewall-cmd –add-service=http
firewall-cmd –reload
-
- From the RHEL node, try to connect to port 80/tcp using the Fedora host IP (192.168.100.66 in my case):
# curl http://192.168.100.66:80
curl: (7) Failed to connect to 192.168.100.66 port 80: No route to host
-
- From the RHEL node, try to connect to port 80/tcp using the WireGuard IP (10.0.0.1 in my case):
podman run -dt -p 10.0.0.2:80:80 –name mynginx Nginx
podman port mynginx
80/tcp -> 10.0.0.2:80
-
- Start /bin/bash in the container on Fedora server
# podman exec -it mynginx /bin/bash
-
- In the command line of the container curl with the WireGuard IP address of the RHEL server and the port forwarded to the container:
Should you have any questions – please do not hesitate to reach out.