Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP tunnel for SideroLink #8064

Closed
Tracked by #8010
smira opened this issue Dec 13, 2023 · 0 comments · Fixed by #8391
Closed
Tracked by #8010

HTTP tunnel for SideroLink #8064

smira opened this issue Dec 13, 2023 · 0 comments · Fixed by #8391
Assignees
@DmitriyMV

Comments

@smira
Copy link
Member

smira commented Dec 13, 2023
edited
Loading

Rationale

In some environments, UDP is not allowed (only TCP to specific ports), or even no outbound traffic is allowed, so traffic can only go via an HTTP(s) proxy.

SideroLink is a very valuable tool to perform remote management of Talos machines.

Proposal

Use SideroLink API (a gRPC API used to provision Wireguard connection) as a channel to transport packets between Talos and SideroLink management endpoint.

gRPC API: use bi-directional stream gRPC API to send packet data.

Using kernel Wireguard implementation

In the network stack, create a tun interface on both ends.

Wireguard still works same way, as if there's no tunnel, so it provides encryption and authentication, and gRPC tunnel API doesn't have to provide that.

Wireguard packets as they leave the interface are routed to the tun device, where they get picked up by the userspace, sent over gRPC API to to the other end, injected into tun device, sent to the Wireguard for decryption.

Using userspace Wireguard implementation

Force to send packets over gRPC API instead of injecting into the Linux network stack.

Prior Art
@smira smira mentioned this issue Dec 13, 2023
Closed
@DmitriyMV DmitriyMV self-assigned this Jan 11, 2024
DmitriyMV added a commit to DmitriyMV/talos that referenced this issue Mar 5, 2024
@DmitriyMV
feat: implement Siderolink wireguard over GRPC.
4255d51 
For siderolabs#8064

Signed-off-by: Dmitriy Matrenichev <[email protected]>
@DmitriyMV DmitriyMV mentioned this issue Mar 5, 2024
Merged
DmitriyMV added a commit to DmitriyMV/talos that referenced this issue Mar 5, 2024
@DmitriyMV
feat: implement Siderolink wireguard over GRPC.
3782cd4 
For siderolabs#8064

Signed-off-by: Dmitriy Matrenichev <[email protected]>
DmitriyMV added a commit to DmitriyMV/talos that referenced this issue Mar 11, 2024
@DmitriyMV
feat: implement Siderolink wireguard over GRPC.
0a59b5c 
For siderolabs#8064

Signed-off-by: Dmitriy Matrenichev <[email protected]>
DmitriyMV added a commit to DmitriyMV/talos that referenced this issue Mar 11, 2024
@DmitriyMV
feat: implement Siderolink wireguard over GRPC
bd03b82 
For siderolabs#8064

Signed-off-by: Dmitriy Matrenichev <[email protected]>
DmitriyMV added a commit to DmitriyMV/talos that referenced this issue Mar 11, 2024
@DmitriyMV
feat: implement Siderolink wireguard over GRPC
6b736f8 
For siderolabs#8064

Signed-off-by: Dmitriy Matrenichev <[email protected]>
DmitriyMV added a commit to DmitriyMV/talos that referenced this issue Mar 11, 2024
@DmitriyMV
feat: implement Siderolink wireguard over GRPC
a59bb25 
For siderolabs#8064

Signed-off-by: Dmitriy Matrenichev <[email protected]>
DmitriyMV added a commit to DmitriyMV/talos that referenced this issue Mar 18, 2024
@DmitriyMV
feat: implement Siderolink wireguard over GRPC
06e3bc0 
For siderolabs#8064

Signed-off-by: Dmitriy Matrenichev <[email protected]>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 5, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@DmitriyMV DmitriyMV

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: implement Siderolink wireguard over GRPC. DmitriyMV/talos
2 participants
@smira @DmitriyMV