Wireguard as a Kubernetes Service

Nico Schottelius nico.schottelius at ungleich.ch
Mon Aug 9 12:34:43 UTC 2021

Hello dear WG mailing list,

I am interested in running wireguard servers (as in endpoints) inside a
kubernetes cluster. I have two different approaches and was wondering
what makes more sense:

1) Wireguard in kernel on every participating node

Assuming that the kernel module is loaded on the host and that a k8s pod
just sets the VPN configuration, every node that hosts the wireguard
service would need to be configured.

Given that a pod is privileged, this might work with a single instance
service that is only terminated on one node. I assume the usual roaming
problems apply so that only 1 node could host that service.

One problem I see here is that the host will have fragments left, even
if the pod is moved to another node. This might be able to catch using

The biggest "problem" I see is that the actual node becomes the VPN
endpoint and not really the pod.

2) User space client

Is there still any Linux user space client that could be used instead?
Performance is not the most critical point of running wireguard as a
service inside k8s, but more the ease of maintenance.

I see these two options, does anyone have a better idea on how to move
the vpn endpoints into a k8s cluster?

Best regards,


Sustainable and modern Infrastructures by ungleich.ch

More information about the WireGuard mailing list