Bridging Cloud and On-Premises — Setting Up WireGuard VPN for Unified Kubernetes Networking

Overview

This guide demonstrates how to establish a secure VPN tunnel between your cloud-based Kubernetes cluster (EKS) and on-premises Kubernetes environment (Minikube) using WireGuard. This setup enables secure cross-cluster communication while maintaining network isolation.

Key Benefits

• Encrypted communication between cloud and on-premises environments
• Simple configuration using Kubernetes manifests
• Low-overhead VPN solution with modern cryptography
• Seamless integration with existing Kubernetes deployments

Prerequisites

• Running Kubernetes clusters (EKS in cloud, Minikube on-premises)
• kubectl access to both clusters
• WireGuard keys generated for both endpoints
• Network access on port 51820/UDP

Implementation

1. Cloud Cluster (EKS) Setup

First, create the EKS manifest file (eks-wireguard-manifest.yaml):

apiVersion: v1
kind: Namespace
metadata:
  name: wireguard
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: wireguard-config
  namespace: wireguard
data:
  wg0.conf: |
    [Interface]
    PrivateKey = <YOUR-EKS-PRIVATE-KEY>  # Replace with your generated private key
    Address = 10.0.0.1/24
    ListenPort = 51820
    
    PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

    [Peer]
    PublicKey = <YOUR-ONPREM-PUBLIC-KEY>  # Replace with your on-prem public key
    AllowedIPs = 10.0.0.0/24

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: wireguard
  namespace: wireguard
spec:
  selector:
    matchLabels:
      app: wireguard
  replicas: 1
  template:
    metadata:
      labels:
        app: wireguard
    spec:
      hostNetwork: true
      containers:
      - name: wireguard
        image: linuxserver/wireguard:latest
        securityContext:
          privileged: true
          capabilities:
            add:
              - NET_ADMIN
              - SYS_MODULE
        ports:
        - containerPort: 51820
          protocol: UDP
        volumeMounts:
        - name: config
          mountPath: /etc/wireguard
        - name: modules
          mountPath: /lib/modules
        env:
        - name: PUID
          value: "1000"
        - name: PGID
          value: "1000"
        - name: TZ
          value: "UTC"
      volumes:
      - name: config
        configMap:
          name: wireguard-config
      - name: modules
        hostPath:
          path: /lib/modules
---
apiVersion: v1
kind: Service
metadata:
  name: wireguard
  namespace: wireguard
spec:
  type: NodePort
  ports:
  - port: 51820
    targetPort: 51820
    protocol: UDP
  selector:
    app: wireguard

2. On-Premises (Minikube) Setup

Create the Minikube manifest file (minikube-wireguard-manifest.yaml):

apiVersion: v1
kind: Namespace
metadata:
  name: wireguard
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: wireguard-config
  namespace: wireguard
data:
  wg0.conf: |
    [Interface]
    PrivateKey = <YOUR-ONPREM-PRIVATE-KEY>  # Replace with your generated private key
    Address = 10.0.0.2/24
    DNS = 8.8.8.8, 8.8.4.4

    [Peer]
    PublicKey = <YOUR-EKS-PUBLIC-KEY>  # Replace with your EKS public key
    Endpoint = <YOUR-EKS-NODE-IP>:51820  # Replace with your EKS node IP
    AllowedIPs = 10.0.0.0/24
    PersistentKeepalive = 25
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: wireguard
  namespace: wireguard
spec:
  selector:
    matchLabels:
      app: wireguard
  replicas: 1
  template:
    metadata:
      labels:
        app: wireguard
    spec:
      hostNetwork: true
      containers:
        - name: wireguard
          image: linuxserver/wireguard:latest
          securityContext:
            privileged: true
            capabilities:
              add:
                - NET_ADMIN
                - SYS_MODULE
          ports:
            - containerPort: 51820
              protocol: UDP
          volumeMounts:
            - name: config
              mountPath: /etc/wireguard
            - name: modules
              mountPath: /lib/modules
          env:
            - name: PUID
              value: "1000"
            - name: PGID
              value: "1000"
            - name: TZ
              value: "UTC"
      volumes:
        - name: config
          configMap:
            name: wireguard-config
        - name: modules
          hostPath:
            path: /lib/modules

3. Deployment Steps

1. Generate WireGuard keys for both endpoints:

# Generate keys for EKS
wg genkey | tee eks-private.key | wg pubkey > eks-public.key

# Generate keys for on-premises
wg genkey | tee onprem-private.key | wg pubkey > onprem-public.key

2. Update the EKS manifest with your keys and replace <YOUR-EKS-PRIVATE-KEY> and <YOUR-ONPREM-PUBLIC-KEY>

3. Deploy to EKS cluster:

kubectl apply -f eks-wireguard-manifest.yaml

4.Deploy to Minikube cluster:

kubectl apply -f minikube-wireguard-manifest.yaml --context minikube

5. Verify the deployments:

# Check pods in both clusters
kubectl get pods -n wireguard

# Check service in EKS
kubectl get svc -n wireguard --context minikube

Troubleshooting

1. Check pod logs:

# From EKS pod
ping 10.0.0.2

# From Minikube pod
ping 10.0.0.1

# Check wg show and see recived and send traffic bytes in both wireguard pods
wg show 

Common issues:

• Port 51820 not accessible (Open the UDP Port From EKS security group )
• Incorrect keys
• Network policies blocking traffic
• Host network issues

If it helps in some way or learnt a new thing then make sure you follow me on linkedin 😉 for more such interesting posts.