使用 Wireguard 在虚拟机上公开 Minikube 服务

使用 Wireguard 在虚拟机上公开 Minikube 服务

由于运行中遇到bugBTRFS 上的 Minikube,我现在正在 Fedora 35 主机上的 QEMU Fedora 35 来宾虚拟机上运行它。我可以使用ssh -fNL端口转发来访问来宾中的 Podman diven 网络服务,但我希望使用更明智的方式(例如wireguard VPN)来允许直接在来宾上使用该子网上所有已发布的 URL。

例如,我有一个可以通过主机浏览器地址http://localhost:32220使用端口转发命令访问的服务ssh -fNL32220:10.88.0.2:32220 192.168.122.122,但是我希望http://10.88.0.3:32220通过wireguard 将主机浏览器连接到 podman0 网络地址,但我不能。

主机设置:

$ ip addr show dev wg0
12: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.0.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever
$ ip addr show dev virbr0
5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:54:00:92:ca:97 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever

$ sudo cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <host private key string>
Address = 10.0.0.1/24
ListenPort = 51820

[Peer]
PublicKey = bxL6esqKWNjEcQ7hLeMTE/TYacztAu95f1shVfe7AjQ=
AllowedIPs = 10.88.0.0/16, 10.0.0.2/32
Endpoint = 192.168.122.122:51820

$ sudo cat /etc/sysctl.d/99-sysctl.conf 
net.ipv4.ip_forward=1

来宾虚拟机设置:

$ ip addr show dev wg0
11: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.0.0.2/24 scope global wg0
       valid_lft forever preferred_lft forever
$ ip addr show dev enp1s0 
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:c6:22:84 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.122/24 brd 192.168.122.255 scope global dynamic noprefixroute enp1s0
       valid_lft 2474sec preferred_lft 2474sec
    inet6 fe80::5054:ff:fec6:2284/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
$ ip addr show dev podman0
6: podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether fa:07:63:90:3f:01 brd ff:ff:ff:ff:ff:ff
    inet 10.88.0.1/16 brd 10.88.255.255 scope global podman0
       valid_lft forever preferred_lft forever
    inet6 fe80::7cc5:35ff:fe52:509d/64 scope link 
       valid_lft forever preferred_lft forever
$ sudo cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.2/24
SaveConfig = true
ListenPort = 51820
PrivateKey = <guest private key string>

[Peer]
PublicKey = Hwb/SeadMH/JbzelPyL7wvOY14Gf8owOcsDFMObD2lE=
AllowedIPs = 10.0.0.1/32

在访客上,我在这里可以看到一项服务(如上所述,可以通过 ssh 隧道获得):

minikube service list
|----------------------|---------------------------|--------------|------------------------|
|      NAMESPACE       |           NAME            | TARGET PORT  |          URL           |
|----------------------|---------------------------|--------------|------------------------|
| default              | hello-minikube            |         8080 | http://10.88.0.3:32220 |

最后我将wireguard服务防火墙端口添加UDP/51820virbr0

$ sudo firewall-cmd --info-zone=libvirt
libvirt (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: virbr0
  sources: 
  services: dhcp dhcpv6 dns ssh tftp wireguard
  ports: 
  protocols: icmp ipv6-icmp
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule priority="32767" reject

有什么想法 (a) 如何完成这项工作或 (b) 如何使来宾内部 URI 更适合我测试 Kubernetes Pod?目前我一直在使用waypipe转发远程浏览器实例 - 一个可怕的黑客:D

相关内容