• Nico Vibert
    About the speakerNico Vibert

    Senior Staff Technical Marketing Engineer

WireGuard Node-To-Node Encryption on Cilium

[10:44] In this video, learn about a new feature: Cilium Transparent Encryption with WireGuard can now encrypt traffic node-to-node!


In this short video, we are going to have a look at WireGuard and a new feature that is coming with 1.14. A feature you can already test with our snapshot versions, snapshot releases, and with this new feature what we can do is actually encrypt the traffic between hosts instead of just between pods.
We are also removing some of the restrictions that existed with wireguard. So if we look back at version 1.10, that was a couple of years ago now, and that was when we introduced WireGuard support. That was essentially the ability to provide encryption of traffic between pods, between Cilium managed Pods, through a secure WireGuard tunnel, and this was an alternative to the transparent encryption method that was available with IPsec. I’ve already covered WireGuard and IPsec in a different video. There’s also a tutorial on isovalent.com, and we also have a lab available for you to try both features. What I wanted to highlight here is a couple of the limitations we had at the time where we couldn’t do host-to-host or pod-to-host encryption, and also we didn’t support layer 7 policy at the time. As you can see here, we said we will add this in an upcoming Cilium release, and the good news is that it’s coming with 1.14. So you can already test this with a 1.14.0 snapshot0, and what you’ll see is that the whole WireGuard integration in the datapath has been changed to support node-to-node encryption and also what you can see here is in 1.13 and before, what we had is a number of limitations. We didn’t support host-to-an-encryption, and we didn’t support layer 7 policy enforcement and visibility.

And actually, if you look at the new documents, you can see that both these lines are removed because it’s added in 1.14 and beyond. I’ll put the links of in the description of this video, but we now support node-to-node encryption and host-to-node-encryption and layer 7 Network policies. Now let’s have a look at the demo. So first, let’s look back at Cilium before version 1.14, and I’m actually using the lab, which lets you test transparent encryption with IPsec and WireGuard. So let’s install Cilium with WireGuard. So I’m just installing version 1.12. It only takes a minute or so, but what you’ll notice is in 1.12, when we enable WireGuard, you can see that the L7 proxy is disabled due to WireGuard encryption. It just wasn’t compatible. Let’s just check the Cilium status, and it’s up and running. Now we’re just going to have a quick look, make sure everything is set up correctly, and we’re going to just go into on the agent and just verify that WireGuard is encrypted, and you can see as well that with WireGuard, we use with tunnels and a tunnel interface is this one here, and you can see as well the port number, and that we’re peering with the other nodes here. Now, again, we’re still using version 1.12, so what we’re going to do is quickly look at the traffic on the WireGuard zero interface. Right. So I’ve just installed TCP dump and just going to listen for traffic. And as you can see, by default, there’s nothing whatsoever, no traffic even when I go. Let’s go here, and we’re going to go and connect to the agents, and we are going to do cilium connectivity health check, which essentially is kind of a host-to-host connectivity test.

As you can see right now, it’s happening but there’s still no traffic being sent on the WireGuard interface. But we do have connectivity between hosts.

It’s only when I start actively do some pod-to-pod tests that you will see traffic being sent.

So what we’re doing just to validate that traffic is being sent across the WireGuard interface. Let’s deploy a couple of pods. What I am making sure is that I pin them to two different nodes to make sure they are manually statically on different nodes.

I can see now that the WireGuard is seeing the node as a pod-to-pod traffic, which has been working for a while. What we’re going to see with version 1.14 is node-to-node traffic.

Let’s try 1.14 snapshot zero and verify that the traffic between nodes is now encrypted when we enable WireGuard. What I am doing first is adding the Cilium repo and I’m going to enable encryption, WireGuard encryption and node encryption. Once Cilium is up and running, we’ll run the same test we did earlier.

Let’s install TCPdump again, and let’s start listening on the WireGuard interface.
We can already see traffic being sent. So what is happening? We see regular traffic over port 4240, which is the health check port used during the Cilium connectivity Cilium health check, and we can also see pings between the different nodes.
You can see that traffic is being encrypted between our two nodes as it goes through the WireGuard interface. You can see this as mentioned before, the traffic to port 4240.
If we check the documentation, we can actually see that the Cilium Health requires port TCP4240 for all the nodes for the Cilium Health monitoring. As you can see, this traffic is also being encrypted between the nodes.
That was just a quick demo. The idea behind transparent encryption is that you don’t have to think about it; it’s just done for you. Especially with WireGuard, you don’t have to manage your keys or rotate them; it’s all done for you. Now, it’s just an additional flag in your Cilium configuration. You can also enable node-to-node encryption, and that’s it. Thanks for watching. Bye!