From cfd592b9de5d172c8b73d56f436d384f4bf39df1 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Mon, 5 May 2025 22:21:45 +0300 Subject: Update content for html --- ...4-11-17-f3s-kubernetes-with-freebsd-part-1.html | 8 +- ...4-12-03-f3s-kubernetes-with-freebsd-part-2.html | 6 +- gemfeed/DRAFT-kubernetes-with-freebsd-part-5.html | 40 +- gemfeed/atom.xml | 16 +- .../wireguard-full-mesh.svg | 772 +++++++++++++++++++++ 5 files changed, 820 insertions(+), 22 deletions(-) create mode 100644 gemfeed/f3s-kubernetes-with-freebsd-part-5/wireguard-full-mesh.svg (limited to 'gemfeed') diff --git a/gemfeed/2024-11-17-f3s-kubernetes-with-freebsd-part-1.html b/gemfeed/2024-11-17-f3s-kubernetes-with-freebsd-part-1.html index 8382e37b..056a9891 100644 --- a/gemfeed/2024-11-17-f3s-kubernetes-with-freebsd-part-1.html +++ b/gemfeed/2024-11-17-f3s-kubernetes-with-freebsd-part-1.html @@ -21,10 +21,10 @@
These are all the posts so far:

-2025-04-05 f3s: Kubernetes with FreeBSD - Part 4: Rocky Linux Bhyve VMs
-2025-02-01 f3s: Kubernetes with FreeBSD - Part 3: Protecting from power cuts
-2024-12-03 f3s: Kubernetes with FreeBSD - Part 2: Hardware and base installation
2024-11-17 f3s: Kubernetes with FreeBSD - Part 1: Setting the stage (You are currently reading this)
+2024-12-03 f3s: Kubernetes with FreeBSD - Part 2: Hardware and base installation
+2025-02-01 f3s: Kubernetes with FreeBSD - Part 3: Protecting from power cuts
+2025-04-05 f3s: Kubernetes with FreeBSD - Part 4: Rocky Linux Bhyve VMs

f3s logo

@@ -52,7 +52,7 @@

Why this setup?



-My previous setup was great for learning Terraform and AWS, but it is too expensive. Costs are under control there, but only because I am shutting down all containers after use (so they are offline ninety percent of the time and still cost around $20 monthly). With the new setup, I could run all containers 24/7 at home, which would still be cheaper in terms of electricity consumption. I have a 50 MBit/s uplink (I could have more if I wanted, but it is plenty for my use case already).
+My previous setup was great for learning Terraform and AWS, but it is too expensive. Costs are under control there, but only because I am shutting down all containers after use (so they are offline ninety percent of the time and still cost around $20 monthly). With the new setup, I could run all containers 24/7 at home, which would still be cheaper in terms of electricity consumption. I have a 400 MBit/s uplink (I could have more if I wanted, but it is more than plenty for my use case already).

From babylon5.buetow.org to .cloud

diff --git a/gemfeed/2024-12-03-f3s-kubernetes-with-freebsd-part-2.html b/gemfeed/2024-12-03-f3s-kubernetes-with-freebsd-part-2.html index 361ab8ec..b7ff9e38 100644 --- a/gemfeed/2024-12-03-f3s-kubernetes-with-freebsd-part-2.html +++ b/gemfeed/2024-12-03-f3s-kubernetes-with-freebsd-part-2.html @@ -21,10 +21,10 @@
These are all the posts so far:

-2025-04-05 f3s: Kubernetes with FreeBSD - Part 4: Rocky Linux Bhyve VMs
-2025-02-01 f3s: Kubernetes with FreeBSD - Part 3: Protecting from power cuts
-2024-12-03 f3s: Kubernetes with FreeBSD - Part 2: Hardware and base installation (You are currently reading this)
2024-11-17 f3s: Kubernetes with FreeBSD - Part 1: Setting the stage
+2024-12-03 f3s: Kubernetes with FreeBSD - Part 2: Hardware and base installation (You are currently reading this)
+2025-02-01 f3s: Kubernetes with FreeBSD - Part 3: Protecting from power cuts
+2025-04-05 f3s: Kubernetes with FreeBSD - Part 4: Rocky Linux Bhyve VMs

f3s logo

diff --git a/gemfeed/DRAFT-kubernetes-with-freebsd-part-5.html b/gemfeed/DRAFT-kubernetes-with-freebsd-part-5.html index b661c125..df837a01 100644 --- a/gemfeed/DRAFT-kubernetes-with-freebsd-part-5.html +++ b/gemfeed/DRAFT-kubernetes-with-freebsd-part-5.html @@ -15,14 +15,14 @@
This is the fith blog post about my f3s series for my self-hosting demands in my home lab. f3s? The "f" stands for FreeBSD, and the "3s" stands for k3s, the Kubernetes distribution I will use on FreeBSD-based physical machines.

-I will post a new entry every month or so (there are too many other side projects for more frequent updates—I bet you can understand).
+I will post a new entry every month or so (there are too many other side projects for more frequent updates — I bet you can understand).

These are all the posts so far:

-2025-04-05 f3s: Kubernetes with FreeBSD - Part 4: Rocky Linux Bhyve VMs
-2025-02-01 f3s: Kubernetes with FreeBSD - Part 3: Protecting from power cuts
-2024-12-03 f3s: Kubernetes with FreeBSD - Part 2: Hardware and base installation
2024-11-17 f3s: Kubernetes with FreeBSD - Part 1: Setting the stage
+2024-12-03 f3s: Kubernetes with FreeBSD - Part 2: Hardware and base installation
+2025-02-01 f3s: Kubernetes with FreeBSD - Part 3: Protecting from power cuts
+2025-04-05 f3s: Kubernetes with FreeBSD - Part 4: Rocky Linux Bhyve VMs

f3s logo

@@ -34,13 +34,39 @@

-

TODO


+

Introduction


+
+By default, traffic within my home LAN, including traffic inside a k3s cluster, is not encrypted. While it resides in the "secure" home LAN, adopting a zero-trust policy means encryption is still preferable to ensure confidentiality and security. So we decide to secure all the traffic of all f3s participating hosts by building a mesh network of all participating hosts as shown in this graph:
+
+Full Mesh network
+
+Whereas f0, f1, and f2 are the FreeBSD base hosts, r0, r1, and r2 are the Rocky Linux Bhyve VMs, and blowfish and fishfinger are two OpenBSD systems running on the internet (as mentioned in the first blog of this series—these systems are already built; in fact, this very blog is served by those OpenBSD systems).
+
+As we can see from the graph, it is a true full-mesh network, where every host has a VPN tunnel to every other host. The benefit is that we do not need to route traffic through intermediate hosts (significantly simplifying the routing configuration). However, the downside is that there is some overhead in configuring and managing all the tunnels.
+
+For simplicity, we also establish VPN tunnels between f0 <-> r0, f1 <-> r1, and f2 <-> r2. Technically, this wouldn't be strictly required since the VMs rN are running on the hosts fN, and there is no network traffic leaving the box. However, it simplifies the configuration as we don't have to account for exceptions, and we are going to automate the mesh network configuration anyway (read on).
+
+

Deciding on WireGuard


+
+I have decided on using WireGuard as the VPN technology for this purpose.
+
+WireGuard is a lightweight, modern, and secure VPN protocol designed for simplicity, speed, and strong cryptography. It is an excellent choice due to its minimal codebase, ease of configuration, high performance, and robust security, utilizing state-of-the-art encryption standards. WireGuard is supported on various operating systems, and its implementations are compatible with each other. Therefore, establishing WireGuard VPN tunnels between FreeBSD, Linux, and OpenBSD is seamless. This cross-platform availability makes it suitable for setups like the one described in this blog series.
+
+We could have used Tailscale for an easy to setup and manage a WireGuard network, but the benefits of creating our own mesh network are:


+https://en.wikipedia.org/wiki/WireGuard
+https://www.wireguard.com/
+https://tailscale.com/
+

diff --git a/gemfeed/atom.xml b/gemfeed/atom.xml index cb0d2f7c..890a69c2 100644 --- a/gemfeed/atom.xml +++ b/gemfeed/atom.xml @@ -1,6 +1,6 @@ - 2025-05-02T00:26:00+03:00 + 2025-05-05T22:21:05+03:00 foo.zone feed To be in the .zone! @@ -2953,10 +2953,10 @@ http://www.gnu.org/software/src-highlite -->
These are all the posts so far:

-2025-04-05 f3s: Kubernetes with FreeBSD - Part 4: Rocky Linux Bhyve VMs
-2025-02-01 f3s: Kubernetes with FreeBSD - Part 3: Protecting from power cuts
-2024-12-03 f3s: Kubernetes with FreeBSD - Part 2: Hardware and base installation (You are currently reading this)
2024-11-17 f3s: Kubernetes with FreeBSD - Part 1: Setting the stage
+2024-12-03 f3s: Kubernetes with FreeBSD - Part 2: Hardware and base installation (You are currently reading this)
+2025-02-01 f3s: Kubernetes with FreeBSD - Part 3: Protecting from power cuts
+2025-04-05 f3s: Kubernetes with FreeBSD - Part 4: Rocky Linux Bhyve VMs

f3s logo

@@ -3325,10 +3325,10 @@ dev.cpu.0.freq: 2922
These are all the posts so far:

-2025-04-05 f3s: Kubernetes with FreeBSD - Part 4: Rocky Linux Bhyve VMs
-2025-02-01 f3s: Kubernetes with FreeBSD - Part 3: Protecting from power cuts
-2024-12-03 f3s: Kubernetes with FreeBSD - Part 2: Hardware and base installation
2024-11-17 f3s: Kubernetes with FreeBSD - Part 1: Setting the stage (You are currently reading this)
+2024-12-03 f3s: Kubernetes with FreeBSD - Part 2: Hardware and base installation
+2025-02-01 f3s: Kubernetes with FreeBSD - Part 3: Protecting from power cuts
+2025-04-05 f3s: Kubernetes with FreeBSD - Part 4: Rocky Linux Bhyve VMs

f3s logo

@@ -3356,7 +3356,7 @@ dev.cpu.0.freq: 2922

Why this setup?



-My previous setup was great for learning Terraform and AWS, but it is too expensive. Costs are under control there, but only because I am shutting down all containers after use (so they are offline ninety percent of the time and still cost around $20 monthly). With the new setup, I could run all containers 24/7 at home, which would still be cheaper in terms of electricity consumption. I have a 50 MBit/s uplink (I could have more if I wanted, but it is plenty for my use case already).
+My previous setup was great for learning Terraform and AWS, but it is too expensive. Costs are under control there, but only because I am shutting down all containers after use (so they are offline ninety percent of the time and still cost around $20 monthly). With the new setup, I could run all containers 24/7 at home, which would still be cheaper in terms of electricity consumption. I have a 400 MBit/s uplink (I could have more if I wanted, but it is more than plenty for my use case already).

From babylon5.buetow.org to .cloud

diff --git a/gemfeed/f3s-kubernetes-with-freebsd-part-5/wireguard-full-mesh.svg b/gemfeed/f3s-kubernetes-with-freebsd-part-5/wireguard-full-mesh.svg new file mode 100644 index 00000000..f2f4f359 --- /dev/null +++ b/gemfeed/f3s-kubernetes-with-freebsd-part-5/wireguard-full-mesh.svg @@ -0,0 +1,772 @@ + + + + + + + + 2025-05-04T06:41:23.234045 + image/svg+xml + + + Matplotlib v3.6.3, https://matplotlib.org/ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + -- cgit v1.2.3