-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
node subnets are not included in "allowed ips"? #28
Comments
Currently no. |
Thanks for adding it as a milestone as I think many of the container technologies will be better enabled to be used with Wesher. |
I plan on working on something a bit different, but I might end up supporting both. First my use case in a sentence (I'll develop in another issue): multiple k8s CNI set routes directly to other nodes and expect them to be honored, so I need to reflect routes added manually on the wg devices to be reflected in allowed IPs on other nodes. Regarding this issue, it seems like a nice complement to my use case. It would probably need an additionnal setting A sane default value would be the empty filter, which means no network is propagated, and would also avoid adding a setting for enabling/disabling this feature. |
For implementation, I intend on using this : https://godoc.org/github.com/vishvananda/netlink#RouteSubscribe I will implement a new loop, identical to the cluster loop, consuming events from netlink, filtering the routes using a configuration setting, and providing locla node route list on a channel. Then in the main loop, I will update the local node based on these routes. Routes will be propagated using node meta, and the node parsing routine will handle extra allowed addresses and netlink routes on top of the node overlay address. The main catch at the moment is that we will need to add and delete routes, removing routes that are not annonuced anymore by a node. How do we handle routes that are set manually by the admin instead of wesher then? I do not intend on handling conflicting routes in this first implementation. Does that sound ok? I think I will implement the code in the |
Here is the current state of our work on the routing matter. It will undergo some tests in our use case in the next few days: https://github.com/kaiyou/wesher/tree/feature-routed-net |
This is currently running on three different clusters of mine, properly propagating kubernetes routes. I will provide production feedback next week. |
@arnarg unfortunately not from my side. I've been swamped and haven't been able to give wesher the attention it deserves 😒 @kaiyou I just noticed I didn't react to your comment. Sorry about that! This definitely sounds like a solid approach 👍 |
I'm not sure what the status of Issue#28 currently is: node subnets are not included in "allowed ips"? #28 from reading the comments in this Issue Thread? Does/Will Wesher support Subnets? |
@bmullan probably yes, but unfortunately no time-frame yet. |
Thanks.
Brian
…On Thu, Mar 11, 2021, 1:04 PM Leo Antunes ***@***.***> wrote:
@bmullan <https://github.com/bmullan> probably yes, but unfortunately no
time-frame yet.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#28 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAM23J7KIMEFQUYMT2GIC3LTDEA4BANCNFSM4KQO3Y6A>
.
|
@costela Just curious if you made any progress implementing support for routing "subnets" on a Mesh VPN Node? Thanks |
Earlier in this thread you said...
I went to that link but I'm not sure what's different, fixed, added?? What is "running on 3 different clusters" ? Sorry I'm missing something :-) Brian |
bump |
I have wesher creating my mesh using wireguard ok. But I'm finding that subnets on various nodes
are not reachable.
On some of my NODEs I have created bridged subnets.
With regular WireGuard I could normally include those Subnets (example 192.168.75.0/24) as an "allowed ips"
But running Wesher if I check /var/lib/wesher/state.json the IP subnets are not included !
Is there a command line option not documented for how someone can specifically identify subnets they want included in the WireGuard config?
thanks
The text was updated successfully, but these errors were encountered: