From c63d19b12305b65dab9dd9f29ef1cdf042f64794 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sun, 11 Jan 2026 22:42:07 +0200 Subject: Update content for md --- about/resources.md | 204 +- ...025-05-11-f3s-kubernetes-with-freebsd-part-5.md | 330 ++- .../wireguard-full-mesh-with-roaming.svg | 2183 ++++++++++++++++++++ .../wireguard-full-mesh.svg | 772 ------- index.md | 2 +- uptime-stats.md | 2 +- 6 files changed, 2557 insertions(+), 936 deletions(-) create mode 100644 gemfeed/f3s-kubernetes-with-freebsd-part-5/wireguard-full-mesh-with-roaming.svg delete mode 100644 gemfeed/f3s-kubernetes-with-freebsd-part-5/wireguard-full-mesh.svg diff --git a/about/resources.md b/about/resources.md index 2398d345..3b51b172 100644 --- a/about/resources.md +++ b/about/resources.md @@ -35,110 +35,110 @@ You won't find any links on this site because, over time, the links will break. In random order: -* 21st Century C: C Tips from the New School; Ben Klemens; O'Reilly -* Perl New Features; Joshua McAdams, brian d foy; Perl School -* DevOps And Site Reliability Engineering Handbook; Stephen Fleming; Audible -* Distributed Systems: Principles and Paradigms; Andrew S. Tanenbaum; Pearson -* Terraform Cookbook; Mikael Krief; Packt Publishing -* Systemprogrammierung in Go; Frank Müller; dpunkt -* Amazon Web Services in Action; Michael Wittig and Andreas Wittig; Manning Publications -* Ultimate Go Notebook; Bill Kennedy +* Go Brain Teasers - Exercise Your Mind; Miki Tebeka; The Pragmatic Programmers * Learn You Some Erlang for Great Good; Fred Herbert; No Starch Press -* Systems Performance Tuning; Gian-Paolo D. Musumeci and others...; O'Reilly -* Hands-on Infrastructure Monitoring with Prometheus; Joel Bastos, Pedro Araujo; Packt -* Kubernetes Cookbook; Sameer Naik, Sébastien Goasguen, Jonathan Michaux; O'Reilly +* Tmux 2: Productive Mouse-free Development; Brain P. Hogan; The Pragmatic Programmers +* The Go Programming Language; Alan A. A. Donovan; Addison-Wesley Professional +* The Docker Book; James Turnbull; Kindle * Site Reliability Engineering; How Google runs production systems; O'Reilly -* Go Brain Teasers - Exercise Your Mind; Miki Tebeka; The Pragmatic Programmers -* Programming Perl aka "The Camel Book"; Tom Christiansen, brian d foy, Larry Wall & Jon Orwant; O'Reilly -* Data Science at the Command Line; Jeroen Janssens; O'Reilly -* Clusterbau mit Linux-HA; Michael Schwartzkopff; O'Reilly -* Leanring eBPF; Liz Rice; O'Reilly -* Pro Puppet; James Turnbull, Jeffrey McCune; Apress -* Programming Ruby 3.3 (5th Edition); Noel Rappin, with Dave Thomas; The Pragmatic Bookshelf -* Developing Games in Java; David Brackeen and others...; New Riders -* Raku Fundamentals; Moritz Lenz; Apress -* The KCNA (Kubernetes and Cloud Native Associate) Book; Nigel Poulton -* Concurrency in Go; Katherine Cox-Buday; O'Reilly -* The Kubernetes Book; Nigel Poulton; Unabridged Audiobook -* The Pragmatic Programmer; David Thomas; Addison-Wesley -* 97 things every SRE should know; Emil Stolarsky, Jaime Woo; O'Reilly -* Polished Ruby Programming; Jeremy Evans; Packt Publishing -* Chaos Engineering - System Resiliency in Practice; Casey Rosenthal and Nora Jones; eBook -* Learn You a Haskell for Great Good!; Miran Lipovaca; No Starch Press -* C++ Programming Language; Bjarne Stroustrup; * The Practise of System and Network Administration; Thomas A. Limoncelli, Christina J. Hogan, Strata R. Chalup; Addison-Wesley Professional Pro Git; Scott Chacon, Ben Straub; Apress -* The Go Programming Language; Alan A. A. Donovan; Addison-Wesley Professional -* Java ist auch eine Insel; Christian Ullenboom; -* Tmux 2: Productive Mouse-free Development; Brain P. Hogan; The Pragmatic Programmers * DNS and BIND; Cricket Liu; O'Reilly -* Effective awk programming; Arnold Robbins; O'Reilly -* Modern Perl; Chromatic ; Onyx Neon Press -* Raku Recipes; J.J. Merelo; Apress -* Effective Java; Joshua Bloch; Addison-Wesley Professional +* Systemprogrammierung in Go; Frank Müller; dpunkt +* Java ist auch eine Insel; Christian Ullenboom; * 100 Go Mistakes and How to Avoid Them; Teiva Harsanyi; Manning Publications -* Higher Order Perl; Mark Dominus; Morgan Kaufmann +* The Kubernetes Book; Nigel Poulton; Unabridged Audiobook +* Leanring eBPF; Liz Rice; O'Reilly +* Chaos Engineering - System Resiliency in Practice; Casey Rosenthal and Nora Jones; eBook +* Modern Perl; Chromatic ; Onyx Neon Press +* The KCNA (Kubernetes and Cloud Native Associate) Book; Nigel Poulton * Object-Oriented Programming with ANSI-C; Axel-Tobias Schreiner -* Funktionale Programmierung; Peter Pepper; Springer +* Systems Performance Tuning; Gian-Paolo D. Musumeci and others...; O'Reilly +* Effective awk programming; Arnold Robbins; O'Reilly +* Effective Java; Joshua Bloch; Addison-Wesley Professional * Seeking SRE: Conversations About Running Production Systems at Scale; David N. Blank-Edelman; eBook +* Higher Order Perl; Mark Dominus; Morgan Kaufmann +* Learn You a Haskell for Great Good!; Miran Lipovaca; No Starch Press +* Perl New Features; Joshua McAdams, brian d foy; Perl School +* Concurrency in Go; Katherine Cox-Buday; O'Reilly +* Raku Fundamentals; Moritz Lenz; Apress * The DevOps Handbook; Gene Kim, Jez Humble, Patrick Debois, John Willis; Audible +* Pro Puppet; James Turnbull, Jeffrey McCune; Apress +* Funktionale Programmierung; Peter Pepper; Springer +* Kubernetes Cookbook; Sameer Naik, Sébastien Goasguen, Jonathan Michaux; O'Reilly +* Data Science at the Command Line; Jeroen Janssens; O'Reilly +* Distributed Systems: Principles and Paradigms; Andrew S. Tanenbaum; Pearson +* Terraform Cookbook; Mikael Krief; Packt Publishing +* Amazon Web Services in Action; Michael Wittig and Andreas Wittig; Manning Publications +* C++ Programming Language; Bjarne Stroustrup; +* Programming Ruby 3.3 (5th Edition); Noel Rappin, with Dave Thomas; The Pragmatic Bookshelf +* 21st Century C: C Tips from the New School; Ben Klemens; O'Reilly +* DevOps And Site Reliability Engineering Handbook; Stephen Fleming; Audible * Think Raku (aka Think Perl 6); Laurent Rosenfeld, Allen B. Downey; O'Reilly -* The Docker Book; James Turnbull; Kindle +* The Pragmatic Programmer; David Thomas; Addison-Wesley +* Raku Recipes; J.J. Merelo; Apress +* Ultimate Go Notebook; Bill Kennedy +* Clusterbau mit Linux-HA; Michael Schwartzkopff; O'Reilly +* Hands-on Infrastructure Monitoring with Prometheus; Joel Bastos, Pedro Araujo; Packt +* 97 things every SRE should know; Emil Stolarsky, Jaime Woo; O'Reilly +* Developing Games in Java; David Brackeen and others...; New Riders +* Polished Ruby Programming; Jeremy Evans; Packt Publishing +* Programming Perl aka "The Camel Book"; Tom Christiansen, brian d foy, Larry Wall & Jon Orwant; O'Reilly ## Technical references I didn't read them from the beginning to the end, but I am using them to look up things. The books are in random order: -* BPF Performance Tools - Linux System and Application Observability, Brendan Gregg; Addison Wesley -* Algorithms; Robert Sedgewick, Kevin Wayne; Addison Wesley * Go: Design Patterns for Real-World Projects; Mat Ryer; Packt -* Implementing Service Level Objectives; Alex Hidalgo; O'Reilly -* Relayd and Httpd Mastery; Michael W Lucas * The Linux Programming Interface; Michael Kerrisk; No Starch Press * Understanding the Linux Kernel; Daniel P. Bovet, Marco Cesati; O'Reilly +* Implementing Service Level Objectives; Alex Hidalgo; O'Reilly +* Relayd and Httpd Mastery; Michael W Lucas +* BPF Performance Tools - Linux System and Application Observability, Brendan Gregg; Addison Wesley +* Algorithms; Robert Sedgewick, Kevin Wayne; Addison Wesley * Groovy Kurz & Gut; Joerg Staudemeier; O'Reilly ## Self-development and soft-skills books In random order: -* Eat That Frog!; Brian Tracy; Hodder Paperbacks +* Consciousness: A Very Short Introduction; Susan Blackmore; Oxford Uiversity Press * The Obstacle Is The Way; Ryan Holiday; Profile Books Ltd +* The Joy of Missing Out; Christina Crook; New Society Publishers +* Who Moved My Cheese?; Dr. Spencer Johnson; Vermilion * Search Inside Yourself - The Unexpected path to Achieving Success, Happiness (and World Peace); Chade-Meng Tan, Daniel Goleman, Jon Kabat-Zinn; HarperOne -* 101 Essays that change the way you think; Brianna Wiest; Audiobook -* Eat That Frog; Brian Tracy -* The Software Engineer's Guidebook: Navigating senior, tech lead, and staff engineer positions at tech companies and startups; Gergely Orosz; Audiobook -* Deep Work; Cal Newport; Piatkus -* Psycho-Cybernetics; Maxwell Maltz; Perigee Books -* The Bullet Journal Method; Ryder Carroll; Fourth Estate -* The 7 Habits Of Highly Effective People; Stephen R. Covey; Simon & Schuster UK * The Power of Now; Eckhard Tolle; Yellow Kite -* So Good They Can't Ignore You; Cal Newport; Business Plus -* Digital Minimalism; Cal Newport; Portofolio Penguin -* The Complete Software Developer's Career Guide; John Sonmez; Unabridged Audiobook -* Slow Productivity; Cal Newport; Penguin Random House +* Eat That Frog!; Brian Tracy; Hodder Paperbacks +* Soft Skills; John Sommez; Manning Publications * Getting Things Done; David Allen +* Eat That Frog; Brian Tracy +* Influence without Authority; A. Cohen, D. Bradford; Wiley +* Solve for Happy; Mo Gawdat (RE-READ 1ST TIME) * The Phoenix Project - A Novel About IT, DevOps, and Helping your Business Win; Gene Kim and Kevin Behr; Trade Select -* Buddah and Einstein walk into a Bar; Guy Joseph Ale, Claire Bloom; Blackstone Publishing -* Time Management for System Administrators; Thomas A. Limoncelli; O'Reilly +* The Complete Software Developer's Career Guide; John Sonmez; Unabridged Audiobook +* Staff Engineer: Leadership beyond the management track; Will Larson; Audiobook +* Ultralearning; Scott Young; Thorsons +* Deep Work; Cal Newport; Piatkus +* 101 Essays that change the way you think; Brianna Wiest; Audiobook +* The Software Engineer's Guidebook: Navigating senior, tech lead, and staff engineer positions at tech companies and startups; Gergely Orosz; Audiobook * The Good Enough Job; Simone Stolzoff; Ebury Edge -* Atomic Habits; James Clear; Random House Business +* So Good They Can't Ignore You; Cal Newport; Business Plus +* Digital Minimalism; Cal Newport; Portofolio Penguin * The Daily Stoic; Ryan Holiday, Stephen Hanselman; Profile Books +* The Off Switch; Mark Cropley; Virgin Books (RE-READ 1ST TIME) +* Buddah and Einstein walk into a Bar; Guy Joseph Ale, Claire Bloom; Blackstone Publishing * 97 Things Every Engineering Manager Should Know; Camille Fournier; Audiobook -* Never Split the Difference; Chris Voss, Tahl Raz; Random House Business -* Influence without Authority; A. Cohen, D. Bradford; Wiley -* Staff Engineer: Leadership beyond the management track; Will Larson; Audiobook -* Who Moved My Cheese?; Dr. Spencer Johnson; Vermilion -* Meditation for Mortals, Oliver Burkeman, Audiobook -* Consciousness: A Very Short Introduction; Susan Blackmore; Oxford Uiversity Press -* Ultralearning; Anna Laurent; Self-published via Amazon +* Time Management for System Administrators; Thomas A. Limoncelli; O'Reilly * The Courage to Be Disliked; Ichiro Kishimi and Fumitake Koga; Audiobook +* Meditation for Mortals, Oliver Burkeman, Audiobook +* The Bullet Journal Method; Ryder Carroll; Fourth Estate +* Psycho-Cybernetics; Maxwell Maltz; Perigee Books * Coders at Work - Reflections on the craft of programming, Peter Seibel and Mitchell Dorian et al., Audiobook -* Soft Skills; John Sommez; Manning Publications -* The Off Switch; Mark Cropley; Virgin Books (RE-READ 1ST TIME) -* Ultralearning; Scott Young; Thorsons +* Atomic Habits; James Clear; Random House Business * Stop starting, start finishing; Arne Roock; Lean-Kanban University -* The Joy of Missing Out; Christina Crook; New Society Publishers -* Solve for Happy; Mo Gawdat (RE-READ 1ST TIME) +* Never Split the Difference; Chris Voss, Tahl Raz; Random House Business +* Slow Productivity; Cal Newport; Penguin Random House +* The 7 Habits Of Highly Effective People; Stephen R. Covey; Simon & Schuster UK +* Ultralearning; Anna Laurent; Self-published via Amazon [Here are notes of mine for some of the books](../notes/index.md) @@ -146,29 +146,29 @@ In random order: Some of these were in-person with exams; others were online learning lectures only. In random order: -* Developing IaC with Terraform (with Live Lessons); O'Reilly Online * Scripting Vim; Damian Conway; O'Reilly Online -* Red Hat Certified System Administrator; Course + certification (Although I had the option, I decided not to take the next course as it is more effective to self learn what I need) -* Functional programming lecture; Remote University of Hagen -* Cloud Operations on AWS - Learn how to configure, deploy, maintain, and troubleshoot your AWS environments; 3-day online live training with labs; Amazon -* The Well-Grounded Rubyist Video Edition; David. A. Black; O'Reilly Online -* MySQL Deep Dive Workshop; 2-day on-site training * Ultimate Go Programming; Bill Kennedy; O'Reilly Online -* Algorithms Video Lectures; Robert Sedgewick; O'Reilly Online -* Protocol buffers; O'Reilly Online -* Structure and Interpretation of Computer Programs; Harold Abelson and more...; +* MySQL Deep Dive Workshop; 2-day on-site training * F5 Loadbalancers Training; 2-day on-site training; F5, Inc. -* Apache Tomcat Best Practises; 3-day on-site training -* AWS Immersion Day; Amazon; 1-day interactive online training * The Ultimate Kubernetes Bootcamp; School of Devops; O'Reilly Online +* Developing IaC with Terraform (with Live Lessons); O'Reilly Online +* Apache Tomcat Best Practises; 3-day on-site training +* Algorithms Video Lectures; Robert Sedgewick; O'Reilly Online +* Protocol buffers; O'Reilly Online * Linux Security and Isolation APIs Training; Michael Kerrisk; 3-day on-site training +* AWS Immersion Day; Amazon; 1-day interactive online training +* Structure and Interpretation of Computer Programs; Harold Abelson and more...; +* Red Hat Certified System Administrator; Course + certification (Although I had the option, I decided not to take the next course as it is more effective to self learn what I need) +* Functional programming lecture; Remote University of Hagen +* The Well-Grounded Rubyist Video Edition; David. A. Black; O'Reilly Online +* Cloud Operations on AWS - Learn how to configure, deploy, maintain, and troubleshoot your AWS environments; 3-day online live training with labs; Amazon ## Technical guides These are not whole books, but guides (smaller or larger) which I found very useful. in random order: -* Raku Guide at https://raku.guide * Advanced Bash-Scripting Guide +* Raku Guide at https://raku.guide * How CPUs work at https://cpu.land ## Podcasts @@ -178,57 +178,57 @@ These are not whole books, but guides (smaller or larger) which I found very use In random order: * Backend Banter -* BSD Now [BSD] -* Fork Around And Find Out -* Cup o' Go [Golang] -* Pratical AI -* The ProdCast (Google SRE Podcast) * The Pragmatic Engineer Podcast -* Modern Mentor +* Fallthrough [Golang] * Deep Questions with Cal Newport -* Hidden Brain * Maintainable +* Fork Around And Find Out +* The ProdCast (Google SRE Podcast) +* Modern Mentor * The Changelog Podcast(s) -* Fallthrough [Golang] -* Dev Interrupted +* Pratical AI +* Hidden Brain +* BSD Now [BSD] * Wednesday Wisdom +* Cup o' Go [Golang] +* Dev Interrupted ### Podcasts I liked I liked them but am not listening to them anymore. The podcasts have either "finished" (no more episodes) or I stopped listening to them due to time constraints or a shift in my interests. -* Ship It (predecessor of Fork Around And Find Out) * Modern Mentor -* FLOSS weekly * Go Time (predecessor of fallthrough) -* CRE: Chaosradio Express [german] +* FLOSS weekly * Java Pub House +* Ship It (predecessor of Fork Around And Find Out) +* CRE: Chaosradio Express [german] ## Newsletters I like This is a mix of tech and non-tech newsletters I am subscribed to. In random order: -* Ruby Weekly * Andreas Brandhorst Newsletter (Sci-Fi author) -* Golang Weekly +* VK Newsletter +* The Imperfectionist * Applied Go Weekly Newsletter * The Valuable Dev * Changelog News -* Register Spill -* The Imperfectionist -* Monospace Mentor +* Golang Weekly * byteSizeGo +* Monospace Mentor * The Pragmatic Engineer -* VK Newsletter +* Ruby Weekly +* Register Spill ## Magazines I like(d) This is a mix of tech I like(d). I may not be a current subscriber, but now and then, I buy an issue. In random order: -* LWN (online only) -* Linux User * freeX (not published anymore) * Linux Magazine +* LWN (online only) +* Linux User # Formal education diff --git a/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.md b/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.md index 5d76a8d9..a2c74a47 100644 --- a/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.md +++ b/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.md @@ -1,11 +1,13 @@ # f3s: Kubernetes with FreeBSD - Part 5: WireGuard mesh network -> Published at 2025-05-11T11:35:57+03:00 +> Published at 2025-05-11T11:35:57+03:00, last updated Sun 11 Jan 21:33:40 EET 2026 This is the fifth blog post about my f3s series for my self-hosting demands in my home lab. f3s? The "f" stands for FreeBSD, and the "3s" stands for k3s, the Kubernetes distribution I will use on FreeBSD-based physical machines. I will post a new entry every month or so (there are too many other side projects for more frequent updates — I bet you can understand). +> This post has been updated to include two roaming clients (`earth` - Fedora laptop, `pixel7pro` - Android phone) that connect to the mesh via the internet gateways. The updated content is integrated throughout the post. + These are all the posts so far: [2024-11-17 f3s: Kubernetes with FreeBSD - Part 1: Setting the stage](./2024-11-17-f3s-kubernetes-with-freebsd-part-1.md) @@ -44,32 +46,54 @@ Let's begin... * [⇢ ⇢ ⇢ Generating the `wg0.conf` files and keys](#generating-the-wg0conf-files-and-keys) * [⇢ ⇢ ⇢ Installing the `wg0.conf` files](#installing-the-wg0conf-files) * [⇢ ⇢ ⇢ Re-generating mesh and installing the `wg0.conf` files again](#re-generating-mesh-and-installing-the-wg0conf-files-again) +* [⇢ ⇢ ⇢ Setting up roaming clients](#setting-up-roaming-clients) * [⇢ ⇢ Happy WireGuard-ing](#happy-wireguard-ing) +* [⇢ ⇢ Managing Roaming Client Tunnels](#managing-roaming-client-tunnels) +* [⇢ ⇢ ⇢ Starting and stopping on earth (Fedora laptop)](#starting-and-stopping-on-earth-fedora-laptop) +* [⇢ ⇢ ⇢ Starting and stopping on pixel7pro (Android phone)](#starting-and-stopping-on-pixel7pro-android-phone) +* [⇢ ⇢ ⇢ Verifying connectivity](#verifying-connectivity) * [⇢ ⇢ Conclusion](#conclusion) ## Introduction -By default, traffic within my home LAN, including traffic inside a k3s cluster, is not encrypted. While it resides in the "secure" home LAN, adopting a zero-trust policy means encryption is still preferable to ensure confidentiality and security. So we decide to secure all the traffic of all f3s participating hosts by building a mesh network of all participating hosts: +By default, traffic within my home LAN, including traffic inside a k3s cluster, is not encrypted. While it resides in the "secure" home LAN, adopting a zero-trust policy means encryption is still preferable to ensure confidentiality and security. So we decide to secure all the traffic of all f3s participating hosts by building a mesh network: + +[![WireGuard mesh network topology](./f3s-kubernetes-with-freebsd-part-5/wireguard-full-mesh-with-roaming.svg "WireGuard mesh network topology")](./f3s-kubernetes-with-freebsd-part-5/wireguard-full-mesh-with-roaming.svg) + +The mesh network consists of eight infrastructure hosts and two roaming clients: + +Infrastructure hosts (full mesh): + +* `f0`, `f1`, and `f2` are the FreeBSD base hosts in my home LAN +* `r0`, `r1`, and `r2` are the Rocky Linux Bhyve VMs running on the FreeBSD hosts +* `blowfish` and `fishfinger` are two OpenBSD systems running on the internet (as mentioned in the first blog of this series—these systems are already built; in fact, this very blog is served by those OpenBSD systems) -[![Full mesh network](./f3s-kubernetes-with-freebsd-part-5/wireguard-full-mesh.svg "Full mesh network")](./f3s-kubernetes-with-freebsd-part-5/wireguard-full-mesh.svg) +oaming clients (gateway-only connections): -Whereas `f0`, `f1`, and `f2` are the FreeBSD base hosts, `r0`, `r1`, and `r2` are the Rocky Linux Bhyve VMs, and `blowfish` and `fishfinger` are two OpenBSD systems running on the internet (as mentioned in the first blog of this series—these systems are already built; in fact, this very blog is served by those OpenBSD systems). +* `earth` is my Fedora laptop (192.168.2.200) which connects only to the internet gateways for remote access +* `pixel7pro` is my Android phone (192.168.2.201) which routes all traffic through the VPN when activated -As we can see from the graph, it is a true full-mesh network, where every host has a VPN tunnel to every other host. The benefit is that we do not need to route traffic through intermediate hosts (significantly simplifying the routing configuration). However, the downside is that there is some overhead in configuring and managing all the tunnels. +As we can see from the diagram, the eight infrastructure hosts form a true full-mesh network, where every host has a VPN tunnel to every other host. The benefit is that we do not need to route traffic through intermediate hosts (significantly simplifying the routing configuration). However, the downside is that there is some overhead in configuring and managing all the tunnels. The roaming clients take a simpler approach—they only connect to the two internet-facing gateways (`blowfish` and `fishfinger`), which is sufficient for remote access and internet connectivity. For simplicity, we also establish VPN tunnels between `f0 <-> r0`, `f1 <-> r1`, and `f2 <-> r2`. Technically, this wouldn't be strictly required since the VMs `rN` are running on the hosts `fN`, and no network traffic is leaving the box. However, it simplifies the configuration as we don't have to account for exceptions, and we are going to automate the mesh network configuration anyway (read on). ### Expected traffic flow -The traffic is expected to flow between the host groups through the mesh network as follows: +The traffic is expected to flow between the host groups through the mesh network as follows: -* `fN <-> rN`: The traffic between the FreeBSD hosts and the Rocky Linux VMs will be routed through the VPN tunnels for persistent storage. In a later post in this series, we will set up an NFS server on the `fN` hosts. +nfrastructure mesh traffic: + +* `fN <-> rN`: The traffic between the FreeBSD hosts and the Rocky Linux VMs will be routed through the VPN tunnels for persistent storage. In a later post in this series, we will set up an NFS server on the `fN` hosts. * `fN <-> blowfish,fishfinger`: The traffic between the FreeBSD hosts and the OpenBSD host `blowfish,fishfinger` will be routed through the VPN tunnels for management. We may want to log in via the internet to set it up remotely. The VPN tunnel will also be used for monitoring purposes. * `rN <-> blowfish,fishfinger`: The traffic between the Rocky Linux VMs and the OpenBSD host `blowfish,fishfinger` will be routed through the VPN tunnels for usage traffic. Since k3s will be running on the `rN` hosts, the OpenBSD servers will route the traffic through `relayd` to the services running in Kubernetes. * `fN <-> fM`: The traffic between the FreeBSD hosts may be later used for data replication for the NFS storage. * `rN <-> rM`: The traffic between the Rocky Linux VMs will later be used by the k3s cluster itself, as every `rN` will be a Kubernetes worker node. * `blowfish <-> fishfinger`: The traffic between the OpenBSD hosts isn't strictly required for this setup, but I set it up anyway for future use cases. +oaming client traffic: + +* `earth,pixel7pro <-> blowfish,fishfinger`: The roaming clients connect exclusively to the two internet gateways. All traffic from these clients (0.0.0.0/0) is routed through the VPN, providing secure internet access and the ability to reach services running in the mesh (via the gateways). The gateways use NAT to allow roaming clients to access the internet using the gateway's public IP address. The roaming clients cannot be reached by the LAN hosts—they are client-only and initiate all connections. + We won't cover all the details in this blog post, as we only focus on setting up the Mesh network in this blog post. Subsequent posts in this series will cover the other details. ## Deciding on WireGuard @@ -240,9 +264,30 @@ blowfish$ cat < sudo dnf install qrencode +> qrencode -t ansiutf8 < dist/pixel7pro/etc/wireguard/wg0.conf +``` + +Scan the QR code with the WireGuard app to import the configuration. The phone will then route all traffic through the VPN when the tunnel is activated. Note that WireGuard does not support automatic failover between the two gateways (`blowfish` and `fishfinger`)—if one fails, manual disconnection and reconnection is required to switch to the other. + +Fedora laptop (`earth`): + +For the laptop, manually copy the generated configuration: + +```sh +> sudo cp dist/earth/etc/wireguard/wg0.conf /etc/wireguard/ +> sudo chmod 600 /etc/wireguard/wg0.conf +> sudo systemctl start wg-quick@wg0.service # Start manually +> sudo systemctl disable wg-quick@wg0.service # Prevent auto-start +``` + +The service is disabled from auto-start so the VPN is only active when manually started. This allows selective VPN usage based on need. + ## Happy WireGuard-ing All is set up now. E.g. on `f0`: @@ -923,6 +1034,105 @@ peer: 2htXdNcxzpI2FdPDJy4T4VGtm1wpMEQu1AkQHjNY6F8= allowed ips: 192.168.2.131/32 ``` +## Managing Roaming Client Tunnels + +Since roaming clients like `earth` and `pixel7pro` connect on-demand rather than being always-on like the infrastructure hosts, it's useful to know how to start and stop the WireGuard tunnels. + +### Starting and stopping on earth (Fedora laptop) + +On the Fedora laptop, WireGuard is managed via systemd. Starting the tunnel: + +```sh +earth$ sudo systemctl start wg-quick@wg0.service +earth$ sudo wg show +interface: wg0 + public key: Mc1CpSS3rbLN9A2w9c75XugQyXUkGPHKI2iCGbh8DRo= + private key: (hidden) + listening port: 56709 + fwmark: 0xca6c + +peer: 8PvGZH1NohHpZPVJyjhctBX9xblsNvYBhpg68FsFcns= + preshared key: (hidden) + endpoint: 46.23.94.99:56709 + allowed ips: 0.0.0.0/0, ::/0 + latest handshake: 5 seconds ago + transfer: 15.89 KiB received, 32.15 KiB sent + persistent keepalive: every 25 seconds + +peer: Xow+d3qVXgUMk4pcRSQ6Fe+vhYBa3VDyHX/4jrGoKns= + preshared key: (hidden) + endpoint: 23.88.35.144:56709 + allowed ips: (none) + latest handshake: 5 seconds ago + transfer: 124 B received, 180 B sent + persistent keepalive: every 25 seconds +``` + +Stoppint the tunnel: + +```sh +earth$ sudo systemctl stop wg-quick@wg0.service +earth$ sudo wg show +# No output - WireGuard interface is down +``` + +Checking the tunnel status: + +```sh +earth$ sudo systemctl status wg-quick@wg0.service +● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0 + Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; disabled) + Active: active (exited) since Sun 2026-01-11 22:45:00 EET +``` + +The service remains `disabled` to prevent auto-start on boot, allowing manual control of when the VPN is active. + +### Starting and stopping on pixel7pro (Android phone) + +On Android using the official WireGuard app, tunnel management is like this: + +Starting the tunnel: + +* 1. Open the WireGuard app +* 2. Tap the toggle switch next to the `pixel7pro` tunnel configuration +* 3. The switch turns blue/green and shows "Active" +* 4. A key icon appears in the notification bar indicating VPN is active +* 5. All traffic now routes through the VPN + +Stopping the tunnel: + +* 1. Open the WireGuard app +* 2. Tap the toggle switch again to disable it +* 3. The switch turns gray and shows "Inactive" +* 4. The notification bar key icon disappears +* 5. Normal internet routing resumes + +Quick toggling from notification: + +* Pull down the notification shade +* Tap the WireGuard notification to quickly enable/disable the tunnel without opening the app + +The WireGuard Android app supports automatically activating tunnels based on: + +* Mobile data connection (e.g., enable VPN when on cellular) +* WiFi SSID (e.g., disable VPN when on trusted home network) +* Ethernet connection status + +These settings can be configured by tapping the pencil icon next to the tunnel name, then scrolling to "Toggle on/off based on" options. + +### Verifying connectivity + +Once the tunnel is active on either device, verify connectivity: + +```sh +# From earth laptop: +earth$ ping -c2 blowfish.wg0 +earth$ ping -c2 fishfinger.wg0 +earth$ curl https://ifconfig.me # Should show gateway's public IP +``` + +Check which gateway is active: The device will typically prefer one gateway (usually the first one with a successful handshake). To see which gateway is actively routing traffic, check the transfer statistics with `sudo wg show` on earth, or observe which gateway shows recent handshakes and increasing transfer bytes. + ## Conclusion Having a mesh network on our hosts is great for securing all the traffic between them for our future k3s setup. A self-managed WireGuard mesh network is better than Tailscale as it eliminates reliance on a third party and provides full control over the configuration. It reduces unnecessary abstraction and "magic," enabling easier debugging and ensuring full ownership of our network. diff --git a/gemfeed/f3s-kubernetes-with-freebsd-part-5/wireguard-full-mesh-with-roaming.svg b/gemfeed/f3s-kubernetes-with-freebsd-part-5/wireguard-full-mesh-with-roaming.svg new file mode 100644 index 00000000..24c8ec9a --- /dev/null +++ b/gemfeed/f3s-kubernetes-with-freebsd-part-5/wireguard-full-mesh-with-roaming.svg @@ -0,0 +1,2183 @@ + + + + + + + + 2026-01-11T22:19:21.305547 + image/svg+xml + + + Matplotlib v3.10.8, https://matplotlib.org/ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/gemfeed/f3s-kubernetes-with-freebsd-part-5/wireguard-full-mesh.svg b/gemfeed/f3s-kubernetes-with-freebsd-part-5/wireguard-full-mesh.svg deleted file mode 100644 index f2f4f359..00000000 --- a/gemfeed/f3s-kubernetes-with-freebsd-part-5/wireguard-full-mesh.svg +++ /dev/null @@ -1,772 +0,0 @@ - - - - - - - - 2025-05-04T06:41:23.234045 - image/svg+xml - - - Matplotlib v3.6.3, https://matplotlib.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/index.md b/index.md index f7158c49..322d6732 100644 --- a/index.md +++ b/index.md @@ -1,6 +1,6 @@ # Hello! -> This site was generated at 2026-01-11T10:46:34+02:00 by `Gemtexter` +> This site was generated at 2026-01-11T22:40:26+02:00 by `Gemtexter` Welcome to the foo.zone! diff --git a/uptime-stats.md b/uptime-stats.md index d9200242..9d64b03a 100644 --- a/uptime-stats.md +++ b/uptime-stats.md @@ -1,6 +1,6 @@ # My machine uptime stats -> This site was last updated at 2026-01-11T10:46:34+02:00 +> This site was last updated at 2026-01-11T22:40:26+02:00 The following stats were collected via `uptimed` on all of my personal computers over many years and the output was generated by `guprecords`, the global uptime records stats analyser of mine. -- cgit v1.2.3