From f203cd1f38ff03fccf3d5523479d369eab5016f6 Mon Sep 17 00:00:00 2001 From: Moritz Graf Date: Sun, 17 May 2026 10:36:06 +0200 Subject: [PATCH] feat(wireguard): setup K8s to FritzBox Site-to-Site VPN --- .gitattributes | 3 +- fritzbox/README.md | 51 +++++++++++++++++++++++ fritzbox/fritzbox-wireguard.secret.conf | Bin 0 -> 304 bytes k8s/wireguard/deployment.yaml | 53 ++++++++++++++++++++++++ k8s/wireguard/kustomization.yaml | 9 ++++ k8s/wireguard/namespace.yaml | 4 ++ k8s/wireguard/secret.secret.yaml | Bin 0 -> 429 bytes 7 files changed, 119 insertions(+), 1 deletion(-) create mode 100644 fritzbox/README.md create mode 100644 fritzbox/fritzbox-wireguard.secret.conf create mode 100644 k8s/wireguard/deployment.yaml create mode 100644 k8s/wireguard/kustomization.yaml create mode 100644 k8s/wireguard/namespace.yaml create mode 100644 k8s/wireguard/secret.secret.yaml diff --git a/.gitattributes b/.gitattributes index 07ef734..9796c84 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,4 +1,5 @@ *.secret filter=git-crypt diff=git-crypt *.secret.yaml filter=git-crypt diff=git-crypt *.secret.values filter=git-crypt diff=git-crypt -*.secret.sh filter=git-crypt diff=git-crypt \ No newline at end of file +*.secret.sh filter=git-crypt diff=git-crypt +*.secret.conf filter=git-crypt diff=git-crypt \ No newline at end of file diff --git a/fritzbox/README.md b/fritzbox/README.md new file mode 100644 index 0000000..7bf8a3b --- /dev/null +++ b/fritzbox/README.md @@ -0,0 +1,51 @@ +# FritzBox Wireguard Setup + +This folder contains configuration and documentation for connecting your FritzBox router (home network) to the Kubernetes cluster via a Wireguard Site-to-Site VPN. + +## 1. Prerequisites +- Your FritzBox must be running FRITZ!OS 7.50+ (Tested with 8.25). +- The Kubernetes Wireguard endpoint (`k8s/wireguard`) must be deployed and running on `vpn.haumdaucher.de`. + +## 2. Connecting the FritzBox + +The FritzBox will be configured to connect to the cluster via a "LAN-to-LAN" coupling. Since we prefer "infrastructure as code", we have pre-generated the exact configuration file. For FritzBox specifically, this requires a manual import step. + +1. Locate the file `fritzbox-wireguard.secret.conf` in this directory. +2. Ensure you have unlocked `git-crypt` so you can read its decrypted contents. +3. Open your FritzBox Web Interface (usually `http://fritz.box`). +4. Navigate to **Internet > Permit Access > VPN (WireGuard)**. +5. Click on **Add Connection** (or "Verbindung hinzufügen"). +6. Select **Connect networks or establish special connections** (Netzwerke koppeln oder spezielle Verbindungen herstellen). +7. Ask if it has been set up on the other side -> choose **Yes** (or choose to upload a config file directly). +8. Choose **Upload a configuration file** and select the decrypted `fritzbox-wireguard.secret.conf` file. +9. Finish the setup. + +The FritzBox will immediately try to connect to `vpn.haumdaucher.de:51820`. + +## 3. Verifying the Connection + +### From the Kubernetes Side +Connect to your cluster and check the Wireguard pod logs: +```bash +# Get the pod name +kubectl get pods -n wireguard + +# Execute into the pod to check connection status +kubectl exec -it -n wireguard -- wg show +``` +You should see a peer connected and the `latest handshake` timestamp indicating a successful connection. + +### Bidirectional Ping Test +1. **Cluster -> Home Network:** + Exec into any pod in your cluster (e.g., a toolbox or home-assistant pod) and ping a device on your local network: + ```bash + ping 192.168.10.1 # Ping your FritzBox local IP + ``` +2. **Home Network -> Cluster:** + From your laptop at home, try to ping a known K8s Service IP (e.g., `10.233.0.1` for kubernetes default service, or a specific pod IP): + ```bash + ping 10.233.0.1 + ``` + +## Backups +Any future manual configurations, firmware backups, or notes related to the FritzBox should be stored within this `fritzbox/` folder. Use `.secret` extensions for any files containing sensitive tokens or passwords. diff --git a/fritzbox/fritzbox-wireguard.secret.conf b/fritzbox/fritzbox-wireguard.secret.conf new file mode 100644 index 0000000000000000000000000000000000000000..4c1a28a591e24515065113630ecaca84747d1548 GIT binary patch literal 304 zcmV-00nh#bM@dveQdv+`01Jn3cXJ(XtvQ4RuT#*D34(`Kd1x|`_Ezq7NN6`)O{zhM z8Yq`#al$^gH{Y&)g=-I85<7K#;m)UA2k(<6o}-D!4?3%+;M5nCWY_b^6fGDu#P*?&;HWn4neKiXMKh%R1v6mx%X4wvk!}%At^B8*DhNPMO9{4|E6^;pEuA!ZL zQij#3JVyYjmi8ggtBJmB5_gLZzm|1Zs>B(3S7_5^w8f|2E*%1K^?>2&pq)g-TFIkpz~Av(AzBXfpKQ>F+B2En~4r;HNt+zbUw6;YcXjbel@ CxQiqJ literal 0 HcmV?d00001 diff --git a/k8s/wireguard/deployment.yaml b/k8s/wireguard/deployment.yaml new file mode 100644 index 0000000..df821dc --- /dev/null +++ b/k8s/wireguard/deployment.yaml @@ -0,0 +1,53 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: wireguard + namespace: wireguard + labels: + app: wireguard +spec: + replicas: 1 + selector: + matchLabels: + app: wireguard + template: + metadata: + labels: + app: wireguard + spec: + hostNetwork: true + containers: + - name: wireguard + image: alpine:latest + command: ["/bin/sh", "-c"] + args: + - | + apk add --no-cache wireguard-tools iptables + cp /config/wg0.conf /etc/wireguard/wg0.conf + chmod 600 /etc/wireguard/wg0.conf + wg-quick up wg0 + echo "Wireguard is up" + trap "wg-quick down wg0" SIGINT SIGTERM + sleep infinity & + wait + securityContext: + privileged: true + capabilities: + add: + - NET_ADMIN + - SYS_MODULE + volumeMounts: + - name: wg-config + mountPath: /config/wg0.conf + subPath: wg0.conf + readOnly: true + - name: lib-modules + mountPath: /lib/modules + readOnly: true + volumes: + - name: wg-config + secret: + secretName: wireguard-config + - name: lib-modules + hostPath: + path: /lib/modules diff --git a/k8s/wireguard/kustomization.yaml b/k8s/wireguard/kustomization.yaml new file mode 100644 index 0000000..3b9db94 --- /dev/null +++ b/k8s/wireguard/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: wireguard + +resources: + - namespace.yaml + - secret.secret.yaml + - deployment.yaml diff --git a/k8s/wireguard/namespace.yaml b/k8s/wireguard/namespace.yaml new file mode 100644 index 0000000..75e9be3 --- /dev/null +++ b/k8s/wireguard/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: wireguard diff --git a/k8s/wireguard/secret.secret.yaml b/k8s/wireguard/secret.secret.yaml new file mode 100644 index 0000000000000000000000000000000000000000..dd7997a4ccf8c7047629cac5d5a7d828fa2aa573 GIT binary patch literal 429 zcmV;e0aE?|M@dveQdv+`0PDK7he!w%2KiUJ3qZ8AB35OER#MsjyRj?R`M`!TVT)O! zKJdkhrQs)2)(Ee1DLRV%m{u~tvL)Mysx#Xxf2J9=y*1pad%>p~6E#OZ)>90?3r^1A z71JR544OWn*NQ#5HUwg=oC8edJ5&i) zCt$IvCd1Fa02nWM2%|3~tV}*3!AU38Jki{4v3jvo6LQTJIF%z1&ICq46}7tUcSsGC z)}8CG4OBS$X{6<^oa*jUY$d_%<_EEx@Vr%~e=X9b;;P|28D97qB zuWXM&D|l=huTF-kid_^8AGzmYqR5y9LV$`pBMJo0+NpsOa}Sdhy+jeZuNawFhf35s z(BxTlNwwA+stR_D@(chXKe73LX=$@ Xeh1lwXnX`fup(hv