feat(wireguard): setup K8s to FritzBox Site-to-Site VPN

2026-05-17 10:36:06 +02:00 · 2026-05-17 10:36:06 +02:00 · f203cd1f38
parent 6b3a5cd7c1
commit f203cd1f38
7 changed files with 119 additions and 1 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -1,4 +1,5 @@
 *.secret filter=git-crypt diff=git-crypt
 *.secret.yaml filter=git-crypt diff=git-crypt
 *.secret.values filter=git-crypt diff=git-crypt
-*.secret.sh filter=git-crypt diff=git-crypt
+*.secret.sh filter=git-crypt diff=git-crypt
 *.secret.conf filter=git-crypt diff=git-crypt
--- a/fritzbox/README.md
+++ b/fritzbox/README.md
@ -0,0 +1,51 @@
 # FritzBox Wireguard Setup
 This folder contains configuration and documentation for connecting your FritzBox router (home network) to the Kubernetes cluster via a Wireguard Site-to-Site VPN.
 ## 1. Prerequisites
 - Your FritzBox must be running FRITZ!OS 7.50+ (Tested with 8.25).
 - The Kubernetes Wireguard endpoint (`k8s/wireguard`) must be deployed and running on `vpn.haumdaucher.de`.
 ## 2. Connecting the FritzBox
 The FritzBox will be configured to connect to the cluster via a "LAN-to-LAN" coupling. Since we prefer "infrastructure as code", we have pre-generated the exact configuration file. For FritzBox specifically, this requires a manual import step.
 1. Locate the file `fritzbox-wireguard.secret.conf` in this directory. 
 2. Ensure you have unlocked `git-crypt` so you can read its decrypted contents.
 3. Open your FritzBox Web Interface (usually `http://fritz.box`).
 4. Navigate to **Internet > Permit Access > VPN (WireGuard)**.
 5. Click on **Add Connection** (or "Verbindung hinzufügen").
 6. Select **Connect networks or establish special connections** (Netzwerke koppeln oder spezielle Verbindungen herstellen).
 7. Ask if it has been set up on the other side -> choose **Yes** (or choose to upload a config file directly).
 8. Choose **Upload a configuration file** and select the decrypted `fritzbox-wireguard.secret.conf` file.
 9. Finish the setup.
 The FritzBox will immediately try to connect to `vpn.haumdaucher.de:51820`.
 ## 3. Verifying the Connection
 ### From the Kubernetes Side
 Connect to your cluster and check the Wireguard pod logs:
 ```bash
 # Get the pod name
 kubectl get pods -n wireguard
 # Execute into the pod to check connection status
 kubectl exec -it <pod-name> -n wireguard -- wg show
 ```
 You should see a peer connected and the `latest handshake` timestamp indicating a successful connection.
 ### Bidirectional Ping Test
 1. **Cluster -> Home Network:**
   Exec into any pod in your cluster (e.g., a toolbox or home-assistant pod) and ping a device on your local network:
   ```bash
   ping 192.168.10.1  # Ping your FritzBox local IP
   ```
 2. **Home Network -> Cluster:**
   From your laptop at home, try to ping a known K8s Service IP (e.g., `10.233.0.1` for kubernetes default service, or a specific pod IP):
   ```bash
   ping 10.233.0.1
   ```
 ## Backups
 Any future manual configurations, firmware backups, or notes related to the FritzBox should be stored within this `fritzbox/` folder. Use `.secret` extensions for any files containing sensitive tokens or passwords.
--- a/fritzbox/fritzbox-wireguard.secret.conf
+++ b/fritzbox/fritzbox-wireguard.secret.conf
--- a/k8s/wireguard/deployment.yaml
+++ b/k8s/wireguard/deployment.yaml
@ -0,0 +1,53 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: wireguard
  namespace: wireguard
  labels:
    app: wireguard
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: wireguard
  template:
    metadata:
      labels:
        app: wireguard
    spec:
      hostNetwork: true
      containers:
      - name: wireguard
        image: alpine:latest
        command: ["/bin/sh", "-c"]
        args:
          - |
            apk add --no-cache wireguard-tools iptables
            cp /config/wg0.conf /etc/wireguard/wg0.conf
            chmod 600 /etc/wireguard/wg0.conf
            wg-quick up wg0
            echo "Wireguard is up"
            trap "wg-quick down wg0" SIGINT SIGTERM
            sleep infinity &
            wait
        securityContext:
          privileged: true
          capabilities:
            add:
              - NET_ADMIN
              - SYS_MODULE
        volumeMounts:
        - name: wg-config
          mountPath: /config/wg0.conf
          subPath: wg0.conf
          readOnly: true
        - name: lib-modules
          mountPath: /lib/modules
          readOnly: true
      volumes:
      - name: wg-config
        secret:
          secretName: wireguard-config
      - name: lib-modules
        hostPath:
          path: /lib/modules
--- a/k8s/wireguard/kustomization.yaml
+++ b/k8s/wireguard/kustomization.yaml
@ -0,0 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: wireguard
 resources:
  - namespace.yaml
  - secret.secret.yaml
  - deployment.yaml
--- a/k8s/wireguard/namespace.yaml
+++ b/k8s/wireguard/namespace.yaml
@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: wireguard
--- a/k8s/wireguard/secret.secret.yaml
+++ b/k8s/wireguard/secret.secret.yaml