Network: wireguard userspace implementation

Author: cheina97

build/gateway/wireguard/Dockerfile

@@ -1,4 +1,12 @@
-FROM golang:1.22 as goBuilder
+FROM golang:1.22 as goBuilder-wg
+WORKDIR /tmp/builder
+
+ARG ref=12269c2761734b15625017d8565745096325392f
+RUN git clone https://git.zx2c4.com/wireguard-go && cd wireguard-go && git checkout $ref && \
+    CGO_ENABLED=0 GOOS=linux GOARCH=$(go env GOARCH) go build -ldflags="-s -w" -o wireguard-go
+
+
+FROM  golang:1.22 as goBuilder
 WORKDIR /tmp/builder
 
 COPY go.mod ./go.mod
@@ -17,4 +25,6 @@ RUN apk update && \
 
 COPY --from=goBuilder /tmp/builder/wireguard /usr/bin/liqo-wireguard
 
+COPY --from=goBuilder-wg /tmp/builder/wireguard-go/wireguard-go /usr/bin/wireguard-go
+
 ENTRYPOINT [ "/usr/bin/liqo-wireguard" ]

cmd/gateway/wireguard/main.go

@@ -163,7 +163,7 @@ func run(cmd *cobra.Command, _ []string) error {
 	}
 
 	// Create the wg-liqo interface and init the wireguard configuration depending on the mode (client/server).
-	if err := wireguard.InitWireguardLink(options); err != nil {
+	if err := wireguard.InitWireguardLink(cmd.Context(), options); err != nil {
 		return fmt.Errorf("unable to init wireguard link: %w", err)
 	}
 

deployments/liqo/README.md

@@ -128,7 +128,7 @@
 | nameOverride | string | `""` | Override the standard name used by Helm and associated to Kubernetes/Liqo resources. |
 | networking.clientResources | list | `[{"apiVersion":"networking.liqo.io/v1alpha1","resource":"wggatewayclients"}]` | Set the list of resources that implement the GatewayClient |
 | networking.enabled | bool | `true` | Use the default Liqo networking module. |
-| networking.gatewayTemplates | object | `{"container":{"gateway":{"image":{"name":"ghcr.io/liqotech/gateway","version":""}},"geneve":{"image":{"name":"ghcr.io/liqotech/gateway/geneve","version":""}},"wireguard":{"image":{"name":"ghcr.io/liqotech/gateway/wireguard","version":""}}},"ping":{"interval":"2s","lossThreshold":5,"updateStatusInterval":"10s"},"replicas":1,"server":{"service":{"allocateLoadBalancerNodePorts":"","annotations":{"service.beta.kubernetes.io/aws-load-balancer-type":"nlb"}}}}` | Set the options for the default gateway (server/client) templates. The default templates use a WireGuard implementation to connect the gateway of the clusters. These options are used to configure only the default templates and should not be considered if a custom template is used. |
+| networking.gatewayTemplates | object | `{"container":{"gateway":{"image":{"name":"ghcr.io/liqotech/gateway","version":""}},"geneve":{"image":{"name":"ghcr.io/liqotech/gateway/geneve","version":""}},"wireguard":{"image":{"name":"ghcr.io/liqotech/gateway/wireguard","version":""}}},"ping":{"interval":"2s","lossThreshold":5,"updateStatusInterval":"10s"},"replicas":1,"server":{"service":{"allocateLoadBalancerNodePorts":"","annotations":{"service.beta.kubernetes.io/aws-load-balancer-type":"nlb"}}},"wireguard":{"implementation":"kernel"}}` | Set the options for the default gateway (server/client) templates. The default templates use a WireGuard implementation to connect the gateway of the clusters. These options are used to configure only the default templates and should not be considered if a custom template is used. |
 | networking.gatewayTemplates.container.gateway.image.name | string | `"ghcr.io/liqotech/gateway"` | Image repository for the gateway container. |
 | networking.gatewayTemplates.container.gateway.image.version | string | `""` | Custom version for the gateway image. If not specified, the global tag is used. |
 | networking.gatewayTemplates.container.geneve.image.name | string | `"ghcr.io/liqotech/gateway/geneve"` | Image repository for the geneve container. |
@@ -144,6 +144,7 @@
 | networking.gatewayTemplates.server.service | object | `{"allocateLoadBalancerNodePorts":"","annotations":{"service.beta.kubernetes.io/aws-load-balancer-type":"nlb"}}` | Set the options to configure the server service |
 | networking.gatewayTemplates.server.service.allocateLoadBalancerNodePorts | string | `""` | Set to "false" if you expose the gateway service as LoadBalancer and you do not want to create also a NodePort associated to it (Note: this setting is useful only on cloud providers that support this feature). |
 | networking.gatewayTemplates.server.service.annotations | object | `{"service.beta.kubernetes.io/aws-load-balancer-type":"nlb"}` | Annotations for the server service. |
+| networking.gatewayTemplates.wireguard.implementation | string | `"kernel"` | Set the implementation used for the WireGuard connection. Possible values are "kernel" and "userspace". |
 | networking.iptables | object | `{"mode":"nf_tables"}` | Iptables configuration tuning. |
 | networking.iptables.mode | string | `"nf_tables"` | Select the iptables mode to use. Possible values are "legacy" and "nf_tables". |
 | networking.mtu | int | `1340` | Set the MTU for the interfaces managed by liqo: vxlan, tunnel and veth interfaces. The value is used by the gateway and route operators. The default value is configured to ensure correct behavior regardless of the combination of the underlying environments (e.g., cloud providers). This guarantees improved compatibility at the cost of possible limited performance drops. |

deployments/liqo/templates/liqo-wireguard-gateway-client-template.yaml

@@ -80,11 +80,15 @@ spec:
                 - --endpoint-port={{"{{ .Spec.Endpoint.Port }}"}}
                 - --metrics-address=:8082
                 - --health-probe-bind-address=:8083
+                - --implementation={{ .Values.networking.gatewayTemplates.wireguard.implementation }}
                 securityContext:
                   capabilities:
                     add:
                     - NET_ADMIN
                     - NET_RAW
+                  {{ if .Values.networking.gatewayTemplates.wireguard.implementation | eq "userspace" }}
+                  privileged: true
+                  {{ end }}
               - name: geneve
                 image: {{ .Values.networking.gatewayTemplates.container.geneve.image.name }}{{ include "liqo.suffix" $geneveConfig }}:{{ include "liqo.version" $geneveConfig }}
                 imagePullPolicy: {{ .Values.pullPolicy }}

deployments/liqo/templates/liqo-wireguard-gateway-server-template.yaml

@@ -97,11 +97,15 @@ spec:
                 - --listen-port={{"{{ .Spec.Endpoint.Port }}"}}
                 - --metrics-address=:8082
                 - --health-probe-bind-address=:8083
+                - --implementation={{ .Values.networking.gatewayTemplates.wireguard.implementation }}
                 securityContext:
                   capabilities:
                     add:
                     - NET_ADMIN
                     - NET_RAW
+                  {{ if .Values.networking.gatewayTemplates.wireguard.implementation | eq "userspace" }}
+                  privileged: true
+                  {{ end }}
               - name: geneve
                 image: {{ .Values.networking.gatewayTemplates.container.geneve.image.name }}{{ include "liqo.suffix" $geneveConfig }}:{{ include "liqo.version" $geneveConfig }}
                 imagePullPolicy: {{ .Values.pullPolicy }}

deployments/liqo/values.yaml

@@ -52,6 +52,9 @@ networking:
   # These options are used to configure only the default templates and should not be considered
   # if a custom template is used.
   gatewayTemplates:
+    wireguard:
+      # -- Set the implementation used for the WireGuard connection. Possible values are "kernel" and "userspace".
+      implementation: "kernel"
     # -- Set the number of replicas for the gateway deployments
     replicas: 1
     # -- Set the options to configure the gateway ping used to check connection

pkg/gateway/tunnel/wireguard/flags.go

@@ -44,6 +44,9 @@ const (
 
 	// FlagNameDNSCheckInterval is the interval between two DNS checks.
 	FlagNameDNSCheckInterval FlagName = "dns-check-interval"
+
+	// FlagNameImplementation is the implementation of the wireguard interface.
+	FlagNameImplementation FlagName = "implementation"
 )
 
 // ClientRequiredFlags contains the list of the mandatory flags for the client mode.
@@ -59,6 +62,8 @@ func InitFlags(flagset *pflag.FlagSet, opts *Options) {
 	flagset.IntVar(&opts.EndpointPort, FlagNameEndpointPort.String(), 51820, "Endpoint port (client only)")
 
 	flagset.DurationVar(&opts.DNSCheckInterval, FlagNameDNSCheckInterval.String(), 5*time.Minute, "Interval between two DNS checks")
+
+	flagset.Var(&opts.Implementation, "implementation", "Implementation of the wireguard interface (kernel or userspace)")
 }
 
 // MarkFlagsRequired marks the flags as required.

pkg/gateway/tunnel/wireguard/netlink.go

@@ -15,12 +15,17 @@
 package wireguard
 
 import (
+	"bytes"
+	"context"
 	"errors"
 	"fmt"
+	"os/exec"
+	"time"
 
 	"github.com/vishvananda/netlink"
 	"golang.zx2c4.com/wireguard/wgctrl"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/klog/v2"
 
 	"github.com/liqotech/liqo/pkg/gateway"
@@ -29,7 +34,7 @@ import (
 )
 
 // InitWireguardLink inits the Wireguard interface.
-func InitWireguardLink(options *Options) error {
+func InitWireguardLink(ctx context.Context, options *Options) error {
 	exists, err := existsLink()
 	if err != nil {
 		return fmt.Errorf("cannot check if Wireguard interface exists: %w", err)
@@ -39,7 +44,7 @@ func InitWireguardLink(options *Options) error {
 		return nil
 	}
 
-	if err := createLink(options); err != nil {
+	if err := createLink(ctx, options); err != nil {
 		return fmt.Errorf("cannot create Wireguard interface: %w", err)
 	}
 
@@ -57,17 +62,21 @@ func InitWireguardLink(options *Options) error {
 }
 
 // CreateLink creates a new Wireguard interface.
-func createLink(options *Options) error {
-	link := netlink.Wireguard{
-		LinkAttrs: netlink.LinkAttrs{
-			MTU:  options.MTU,
-			Name: tunnel.TunnelInterfaceName,
-		},
+func createLink(ctx context.Context, options *Options) error {
+	var err error
+	klog.Infof("Selected wireguard %s implementation", options.Implementation)
+
+	switch options.Implementation {
+	case WgImplementationKernel:
+		err = createLinkKernel(options)
+	case WgImplementationUserspace:
+		err = createLinkUserspace(ctx, options)
+	default:
+		err = fmt.Errorf("invalid wireguard implementation: %s", options.Implementation)
 	}
 
-	err := netlink.LinkAdd(&link)
 	if err != nil {
-		return fmt.Errorf("cannot add Wireguard interface: %w", err)
+		return fmt.Errorf("cannot create Wireguard interface: %w", err)
 	}
 
 	if options.GwOptions.Mode == gateway.ModeServer {
@@ -83,6 +92,56 @@ func createLink(options *Options) error {
 			return fmt.Errorf("cannot configure Wireguard interface: %w", err)
 		}
 	}
+
+	return nil
+}
+
+// createLinkKernel creates a new Wireguard interface using the kernel module.
+func createLinkKernel(options *Options) error {
+	link := netlink.Wireguard{
+		LinkAttrs: netlink.LinkAttrs{
+			MTU:  options.MTU,
+			Name: tunnel.TunnelInterfaceName,
+		},
+	}
+
+	err := netlink.LinkAdd(&link)
+	if err != nil {
+		return fmt.Errorf("cannot add Wireguard interface: %w", err)
+	}
+	return nil
+}
+
+// runWgUserCmd runs the wg command with the given arguments.
+func runWgUserCmd(cmd *exec.Cmd) {
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+	if err := cmd.Run(); err != nil {
+		outStr, errStr := stdout.String(), stderr.String()
+		fmt.Printf("out:\n%s\nerr:\n%s\n", outStr, errStr)
+		klog.Fatalf("failed to run '%s': %v", cmd.String(), err)
+	}
+}
+
+// createLinkUserspsce creates a new Wireguard interface using the userspace implementation (wireguard-go).
+// TODO: at the moment is not possible to override the settings of the wireguard-go implementation.
+// We are planning a PR to add a flag for the MTU.
+func createLinkUserspace(ctx context.Context, _ *Options) error {
+	cmd := exec.Command("/usr/bin/wireguard-go", "-f", tunnel.TunnelInterfaceName) //nolint:gosec //we leave it as it is
+	go runWgUserCmd(cmd)
+
+	if err := wait.PollUntilContextTimeout(ctx, time.Second, 10*time.Second, true, func(context.Context) (done bool, err error) {
+		klog.Info("Waiting for wireguard device to be created")
+		if _, err = netlink.LinkByName(tunnel.TunnelInterfaceName); err != nil {
+			klog.Errorf("failed to get wireguard device '%s': %s", tunnel.TunnelInterfaceName, err)
+			return false, nil
+		}
+		return true, nil
+	}); err != nil {
+		return fmt.Errorf("failed to create wireguard device %q: %w", tunnel.TunnelInterfaceName, err)
+	}
+
 	return nil
 }
 

pkg/gateway/tunnel/wireguard/options.go

@@ -15,6 +15,7 @@
 package wireguard
 
 import (
+	"fmt"
 	"net"
 	"sync"
 	"time"
@@ -24,6 +25,38 @@ import (
 	"github.com/liqotech/liqo/pkg/gateway"
 )
 
+// WgImplementation represents the implementation of the wireguard interface.
+type WgImplementation string
+
+const (
+	// WgImplementationKernel represents the kernel implementation of the wireguard interface.
+	WgImplementationKernel WgImplementation = "kernel"
+	// WgImplementationUserspace represents the userspace implementation of the wireguard interface.
+	WgImplementationUserspace WgImplementation = "userspace"
+)
+
+// String returns the string representation of the wireguard implementation.
+func (wgi WgImplementation) String() string {
+	return string(wgi)
+}
+
+// Set parses the provided string into the wireguard implementation.
+func (wgi *WgImplementation) Set(s string) error {
+	if s == "" {
+		s = WgImplementationKernel.String()
+	}
+	if s != WgImplementationKernel.String() && s != WgImplementationUserspace.String() {
+		return fmt.Errorf("invalid wireguard implementation: %s (allowed values are: %s,%s)", s, WgImplementationKernel, WgImplementationUserspace)
+	}
+	*wgi = WgImplementation(s)
+	return nil
+}
+
+// Type returns the type of the wireguard implementation.
+func (wgi WgImplementation) Type() string {
+	return "string"
+}
+
 // Options contains the options for the wireguard interface.
 type Options struct {
 	GwOptions *gateway.Options
@@ -39,6 +72,8 @@ type Options struct {
 	EndpointIPMutex *sync.Mutex
 
 	DNSCheckInterval time.Duration
+
+	Implementation WgImplementation
 }
 
 // NewOptions returns a new Options struct.