Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] wireguard with cillium example doesn't work #1618

Closed
1 task done
csantanapr opened this issue May 25, 2023 · 3 comments
Closed
1 task done

[bug] wireguard with cillium example doesn't work #1618

csantanapr opened this issue May 25, 2023 · 3 comments
Assignees
@csantanapr

Comments

@csantanapr
Copy link
Contributor

csantanapr commented May 25, 2023
edited
Loading

Description

When using the example wireguard-with-cilium the example pod client is not communicating because is configured before cilium wireguard is established.

we need to put some type of sleep/delay before creating the client pod

  • ✋ I have searched the open/closed issues and my issue is not listed.

Steps to reproduce the behavior:

git clone branch
cd examples/wireguard-with-cilium/
terraform init
terraform apply -auto-approve

follow readme and run tcpdump -A -c 3 -i cilium_wg0 command

Expected behaviour

For tcpdump -A -c 3 -i cilium_wg0 to show encrypted traffic

Actual behaviour

The tcpdump -A -c 3 -i cilium_wg0coammand doesn't show any output

Additional context

Thank you to @aaroniscode and the blog Transparent encryption of node to node traffic on Amazon EKS using WireGuard and Cilium he authored to debug the issue

The steps on the blog uses eksctl and there is more time between installing cilium and deploying the client pod, this is why it works if you use the blog instructions
@csantanapr csantanapr changed the title [bug] wireguard with cillium example doesn't work because of race condition [bug] wireguard with cillium example doesn't work May 25, 2023
@csantanapr csantanapr self-assigned this May 26, 2023
@csantanapr
Copy link
Contributor Author

It looks like is not a race condition, is about not allowing UDP/51871 communication between nodes, cilium wireguard is configured to tunnel all encryption data thru this port

I tested the example disabling the creation of security groups in eks module and it worked out of the box

  create_node_security_group = false

Now testing adding the udp/51871 ingress, because I don't we want to recommend to open everything up between the nodes

  # Extend node-to-node security group rules
  node_security_group_additional_rules = {

    ingress_cilium_wireguard = {
      description = "Allow Cilium Wireguard node to node"
      protocol    = "udp"
      from_port   = 51871
      to_port     = 51871  # Cilium Wireguard Port https://github.com/cilium/cilium/blob/main/Documentation/security/network/encryption-wireguard.rst
      type        = "ingress"
      self        = true
    }
  }

cc @askulkarni2 @aaroniscode

@csantanapr
Copy link
Contributor Author

csantanapr commented May 26, 2023
edited
Loading

Allowing traffic is not enough to get encrypted traffic working.

I tried with with all default security groups and additional one for udp/51871 with the client/server pods deployed with terraform together with cilium and the traffic was flowing but NOT thru the wrireguard tunnel.

Then I tried with with all default security groups and additional one for udp/51871 without the client/server pods deployed with terraform together with cilium. Then waited ~5mins then deploy the client/server pods and then traffic was flowing thru wireguard tunnel.

@csantanapr csantanapr mentioned this issue May 27, 2023
Merged
4 tasks
@bryantbiggs
Copy link
Contributor

closed in #1619

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@csantanapr csantanapr

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@csantanapr @bryantbiggs