github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-11-01 07:06:16 +00:00
Code Issues Projects Releases Wiki Activity
Files
4cdff71e05e0f2f49ecef0e204b4ec4d4bd55eed
linuxkit/projects/wireguard/README.md
Justin Cormack 1b9720a9eb Move roadmap to README where there is only one 
This way something comes up when you click on the project on
github, rather than having to hunt for something to explain the
project.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2017-06-12 11:44:29 +02:00

49 lines
2.6 KiB
Markdown
Raw Blame History

# WireGuard
[WireGuard](https://wireguard.io) is a modern VPN released for the Linux kernel that can replace IPSec.
We can use WireGuard in Moby to better secure container networking.
WireGuard transparently encrypts *and* authenticates traffic between all peers, and uses state-of-the-art cryptography
from the [Noise protocol](http://www.noiseprotocol.org/). Moreover, WireGuard is implemented in less than a few thousand
lines of code, making it auditable for security.
Moreover, WireGuard provides a `wg0` (`wg1`, `wg2`,... etc) network interface that can be passed directly to containers,
such that all intercontainer traffic would benefit from encrypted and authenticated networking.
A full technical paper from NDSS 2017 is available [here](https://www.wireguard.io/papers/wireguard.pdf).
## Contents
### Kernel Patches
This project keeps Linux kernel patches for WireGuard against a 4.9.x kernel.
This kernel is built into the `mobylinux/kernel-wireguard` image that is generated by `cd kernel-wireguard && make`.
WireGuard can also be included as a kernel module.
### Userspace Tools
This project embeds the `wireguard-tools` package in the userspace image.
This is built into the `mobylinux/init-wireguard` image that is generated by `cd init-wireguard && make`.
## Quickstart
The quickest way to get started is to use the provided `examples/wireguard.yml` in this directory and use the prebuilt images.
To give WireGuard a spin, the [official quick start](https://www.wireguard.io/quickstart/) is a good way to get going. For containers,
WireGuard has a [network namespace integration](https://www.wireguard.io/netns/) that we could use for Moby's containers.
## Roadmap
**Near-term:**
- decide between either carrying the WireGuard patches in our kernel tree or using a module
**Long-term:**
- We have yet to determine the best way to integrate WireGuard into Moby - at the node level or service level isolation.
- Node level: it's plausible that Moby's provisioner could allocate keys per Moby node
- Service level: swarmkit could set up WireGuard on a per-service basis, handing the container the wireguard interface
*Service Level*: one proposal is to use WireGuard between container network [`links`](https://docs.docker.com/compose/networking/#links).
This is a natural fit because WireGuard associates public keys to IP addresses: a docker-compose link would simply need
a reference to a key in addition to the existing IP address info for this to work. However there are some open questions:
- `containerd` does not intend to support networks from the roadmap
- `links` are not currently supported on swarm stack deploys at present
Reference in New Issue View Git Blame Copy Permalink