github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-09-29 21:46:23 +00:00
Code Issues Projects Releases Wiki Activity
Files
56229e486bf2eb1a66d14b39c289f9c38dbbecca
linuxkit/projects/wireguard
History
Rolf Neugebauer 093dae22d5 Update YAML files 
- Use the new style kernel tags with the full kernel version
- Update packages with new alpine base and new/simplified Makefiles.

Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
2017-06-27 19:56:08 +01:00
..
kernel
wireguard: update kernel build
2017-05-26 15:35:32 -06:00
tools
fix package builds in some cases
2017-06-07 16:19:40 -06:00
README.md
Move roadmap to README where there is only one
2017-06-12 11:44:29 +02:00
wireguard.yml
Update YAML files
2017-06-27 19:56:08 +01:00

README.md

WireGuard

WireGuard is a modern VPN released for the Linux kernel that can replace IPSec.

We can use WireGuard in Moby to better secure container networking. WireGuard transparently encrypts and authenticates traffic between all peers, and uses state-of-the-art cryptography from the Noise protocol. Moreover, WireGuard is implemented in less than a few thousand lines of code, making it auditable for security.

Moreover, WireGuard provides a wg0 (wg1, wg2,... etc) network interface that can be passed directly to containers, such that all intercontainer traffic would benefit from encrypted and authenticated networking.

A full technical paper from NDSS 2017 is available here.

Contents

Kernel Patches

This project keeps Linux kernel patches for WireGuard against a 4.9.x kernel.
This kernel is built into the mobylinux/kernel-wireguard image that is generated by cd kernel-wireguard && make.

WireGuard can also be included as a kernel module.

Userspace Tools

This project embeds the wireguard-tools package in the userspace image. This is built into the mobylinux/init-wireguard image that is generated by cd init-wireguard && make.

Quickstart

The quickest way to get started is to use the provided examples/wireguard.yml in this directory and use the prebuilt images.

To give WireGuard a spin, the official quick start is a good way to get going. For containers, WireGuard has a network namespace integration that we could use for Moby's containers.

Roadmap

Near-term:

  • decide between either carrying the WireGuard patches in our kernel tree or using a module

Long-term:

  • We have yet to determine the best way to integrate WireGuard into Moby - at the node level or service level isolation.
    • Node level: it's plausible that Moby's provisioner could allocate keys per Moby node
    • Service level: swarmkit could set up WireGuard on a per-service basis, handing the container the wireguard interface

Service Level: one proposal is to use WireGuard between container network links. This is a natural fit because WireGuard associates public keys to IP addresses: a docker-compose link would simply need a reference to a key in addition to the existing IP address info for this to work. However there are some open questions:

  • containerd does not intend to support networks from the roadmap
  • links are not currently supported on swarm stack deploys at present