Leveraging WireGuard on Container Linux involves the following steps:
- compiling the WireGuard kernel module; and
- loading the kernel module on demand
These steps have to be executed whenever the Container Linux system updates since the modules may no longer be compatible with the new kernel.
Modulus takes care of automating all of these steps and ensures that kernel modules are up-to-date for the host's kernel.
You will need a running Kubernetes cluster and the kubectl command to deploy Modulus.
Edit the provided Modulus DaemonSet to specify the version of WireGuard you would like to compile, e.g. 0.0.20190406. Then create the deployment:
kubectl apply -f https://raw.githubusercontent.com/squat/modulus/main/wireguard/daemonset.yamlThis DaemonSet will run on a Modulus pod on all the Kubernetes nodes.
First, make sure you have the Modulus code available on your Container Linux machine and that the modulus service is installed.
Enable and start the modulus template unit file with the desired WireGuard version, e.g. 0.0.20190406:
sudo systemctl enable [email protected]
sudo systemctl start [email protected]This service takes care of automatically compiling, installing, backing up, and loading the WireGuard kernel modules.
Compiling the WireGuard kernel modules can take around 5-10 minutes depending on your Internet speed, CPU, and RAM. To check the progress of the compilation, run:
journalctl -fu [email protected]Once Modulus has successfully run, the host should have the WireGuard kernel module loaded. To verify that the kernel module was loaded, run:
lsmod | grep wireguardThis should return something like:
wireguard 233472 0
ip6_udp_tunnel 16384 1 wireguard
udp_tunnel 16384 1 wireguardFinally, try creating a WireGuard interface and using the WireGuard binary, wg, to inspect it:
sudo ip link add dev wg0 type wireguard && sudo /opt/drivers/wireguard/bin/wg show all && sudo ip link del wg0This should produce some output like:
interface: wg0
listening port: 43217