Should we create the antrea-tun0 OVS port when using Wireguard? #5869

antoninbas · 2024-01-11T23:32:54Z

While looking at #5868, I realized that we were still creating the antrea-tun0 OVS port when using Wireguard for inter-Node traffic, even though the port should not be used any more (we use Linux Wireguard tunnels, and traffic goes through the antrea-wg0 interface.

# ovs-vsctl show
75566bd4-6363-42d2-9172-a4faa89ff450
    Bridge br-int
        datapath_type: system
        Port antrea-tun0
            Interface antrea-tun0
                type: geneve
                options: {key=flow, remote_ip=flow}
        Port antrea-gw0
            Interface antrea-gw0
                type: internal
        Port coredns--3bcc0c
            Interface coredns--3bcc0c
        Port local-pa-daf9ad
            Interface local-pa-daf9ad
        Port coredns--70cbe6
            Interface coredns--70cbe6
        Port antrea-t-579008
            Interface antrea-t-579008
    ovs_version: "2.17.7"

# ovs-vsctl get interface antrea-tun0 statistics
{rx_bytes=0, rx_packets=0, tx_bytes=0, tx_packets=0}

I find it a bit confusing, and unless I am missing something, we should probably avoid creating this port altogether.

The text was updated successfully, but these errors were encountered:

antoninbas · 2024-01-11T23:33:00Z

cc @xliuxu

tnqn · 2024-01-17T14:38:30Z

Not creating antrea-tun0 makes sense to me. If antrea-tun0 is ever used in this case, it means cross-node traffic is not encrypted, which would be a problem.

antoninbas · 2024-01-17T19:12:12Z

Unless I am mistaken, multi-cluster (in gateway mode) always requires antera-tun0, regardless of the traffic mode configuration, so this is a special case.

When using Wireguard for inter-Node traffic, there is no need to create the OVS tunnel port (antrea-tun0) interface, as traffic will go through antrea-wg0, which is managed by Linux directly. The exception is when using Multi-cluster (in gateway mode), as antrea-tun0 is then still used for cross-cluster traffic, for example to tunnel traffic from the source Node to the local gateway Node. Fixes antrea-io#5869 Signed-off-by: Antonin Bas <[email protected]>

When using Wireguard for inter-Node traffic, there is no need to create the OVS tunnel port (antrea-tun0) interface, as traffic will go through antrea-wg0, which is managed by Linux directly. The exception is when using Multi-cluster (in gateway mode), as antrea-tun0 is then still used for cross-cluster traffic, for example to tunnel traffic from the source Node to the local gateway Node. Fixes #5869 Signed-off-by: Antonin Bas <[email protected]>

antoninbas added area/transit/encryption Issues or PRs related to transit encryption (IPSec, SSL). priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. labels Jan 11, 2024

antoninbas self-assigned this Jan 17, 2024

antoninbas mentioned this issue Jan 17, 2024

Don't create tunnel interface (antrea-tun0) when using Wireguard #5885

Merged

antoninbas closed this as completed in #5885 Jan 19, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Should we create the antrea-tun0 OVS port when using Wireguard? #5869

Should we create the antrea-tun0 OVS port when using Wireguard? #5869

antoninbas commented Jan 11, 2024

antoninbas commented Jan 11, 2024

tnqn commented Jan 17, 2024

antoninbas commented Jan 17, 2024

Should we create the antrea-tun0 OVS port when using Wireguard? #5869

Should we create the antrea-tun0 OVS port when using Wireguard? #5869

Comments

antoninbas commented Jan 11, 2024

antoninbas commented Jan 11, 2024

tnqn commented Jan 17, 2024

antoninbas commented Jan 17, 2024