github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2026-01-17 09:22:33 +00:00
Code Issues Projects Releases Wiki Activity
Files
e276de9b4968ec0bc332172edc2866951ced1652
linuxkit/projects/wireguard/roadmap.md
Riyaz Faizullabhoy 8b8a544ce8 Keep WireGuard configuration local to projects subdir 
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2017-03-17 15:49:22 +00:00

43 lines
2.2 KiB
Markdown
Raw Blame History

# WireGuard
[WireGuard](https://wireguard.io) is a modern VPN released for the Linux kernel that can replace IPSec.
We can use WireGuard in Moby to better secure container networking.
WireGuard transparently encrypts *and* authenticates traffic between all peers, and uses state-of-the-art cryptography
from the [Noise protocol](http://www.noiseprotocol.org/). Moreover, WireGuard is implemented in less than a few thousand
lines of code, making it auditable for security.
Moreover, WireGuard provides a `wg0` (`wg1`, `wg2`,... etc) network interface that can be passed directly to containers,
such that all intercontainer traffic would benefit from encrypted and authenticated networking.
A full technical paper from NDSS 2017 is available [here](https://www.wireguard.io/papers/wireguard.pdf).
## Contents
### Kernel Patches
This project keeps Linux kernel patches for WireGuard against a 4.9.x kernel.
This kernel is built into the `mobylinux/kernel-wireguard` image that is generated by `cd kernel-wireguard && make`.
WireGuard can also be included as a kernel module.
### Userspace Tools
This project embeds the `wireguard-tools` package in the userspace image.
This is built into the `mobylinux/init-wireguard` image that is generated by `cd init-wireguard && make`.
## Quickstart
The quickest way to get started is to use the provided `examples/wireguard.yaml` in this directory and use the prebuilt images.
To give WireGuard a spin, the [official quick start](https://www.wireguard.io/quickstart/) is a good way to get going. For containers,
WireGuard has a [network namespace integration](https://www.wireguard.io/netns/) that we could use for Moby's containers.
## Roadmap
**Near-term:**
- moving `wireguard-tools` out of the init image (with any other tools, as well)
- decide between either carrying the WireGuard patches in our kernel tree or using a module
**Long-term:**
- We have yet to determine the best way to integrate WireGuard into Moby - at the node level or service level isolation.
- Node level: it's plausible that Moby's provisioner could allocate keys per Moby node
- Service level: swarmkit could set up WireGuard on a per-service basis, handing the container the wireguard interface
Reference in New Issue View Git Blame Copy Permalink