From 72f2418b562a2f99a9e9698971837b9c6023478b Mon Sep 17 00:00:00 2001
From: Thiago Almeida <thiagoalmeidasa@gmail.com>
Date: Wed, 27 Nov 2024 00:55:29 +0100
Subject: [PATCH] feat(vpn-gateway): switch from openvpn to wireguard

---
 .../vpn-gateway/gateway/app/helmrelease.yaml  | 12 +++--
 .../gateway/app/networkpolicy.yaml            |  5 +-
 .../vpn-gateway/gateway/app/secret.sops.yaml  | 49 ++++++++++---------
 3 files changed, 34 insertions(+), 32 deletions(-)

diff --git a/kubernetes/apps/vpn-gateway/gateway/app/helmrelease.yaml b/kubernetes/apps/vpn-gateway/gateway/app/helmrelease.yaml
index 5c8e3110..d6c9447f 100644
--- a/kubernetes/apps/vpn-gateway/gateway/app/helmrelease.yaml
+++ b/kubernetes/apps/vpn-gateway/gateway/app/helmrelease.yaml
@@ -36,7 +36,6 @@ spec:
           image:
             repository: docker.io/qmcgaw/gluetun
             tag: v3.39.1@sha256:6a8058e626763cbf735ac2f78c774dbb24fec2490bd9d9f7d67e22592cb4a991
-
         envFrom:
           - secretRef:
               name: vpn-gateway-pod-gateway
@@ -49,7 +48,7 @@ spec:
             cpu: 100m
             memory: 40Mi
           limits:
-            cpu: 150m
+            cpu: 100m
             memory: 100Mi
         networkPolicy:
           enabled: false
@@ -60,10 +59,13 @@ spec:
       - media
     settings:
       NOT_ROUTED_TO_GATEWAY_CIDRS: "10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"
-      VPN_BLOCK_OTHER_TRAFFIC: true
-      VPN_INTERFACE: "tun0"
+      VPN_BLOCK_OTHER_TRAFFIC: false
+      # 51820 is for wireguard
+      VPN_TRAFFIC_PORT: 51820
+      # 1194 is for openvpn
+      # VPN_TRAFFIC_PORT: 1194
+      VPN_INTERFACE: "wg0"
       VPN_LOCAL_CIDRS: "10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"
-      VPN_TRAFFIC_PORT: "1194"
       VXLAN_PORT: 4789
     webhook:
       image:
diff --git a/kubernetes/apps/vpn-gateway/gateway/app/networkpolicy.yaml b/kubernetes/apps/vpn-gateway/gateway/app/networkpolicy.yaml
index c3c5370a..95af86b9 100644
--- a/kubernetes/apps/vpn-gateway/gateway/app/networkpolicy.yaml
+++ b/kubernetes/apps/vpn-gateway/gateway/app/networkpolicy.yaml
@@ -15,11 +15,8 @@ spec:
     - toCIDR:
         - 0.0.0.0/0
       toPorts:
-        # - ports:
-        #     - port: "443"
-        #       protocol: TCP
         - ports:
-            - port: "1194"
+            - port: "51820"
               protocol: UDP
     - toEntities:
         - cluster
diff --git a/kubernetes/apps/vpn-gateway/gateway/app/secret.sops.yaml b/kubernetes/apps/vpn-gateway/gateway/app/secret.sops.yaml
index d802f052..1c1704fe 100644
--- a/kubernetes/apps/vpn-gateway/gateway/app/secret.sops.yaml
+++ b/kubernetes/apps/vpn-gateway/gateway/app/secret.sops.yaml
@@ -4,22 +4,25 @@ metadata:
     name: vpn-gateway-pod-gateway
     namespace: vpn-gateway
 stringData:
-    #ENC[AES256_GCM,data:5VFXKxnw/q7JK9YS8Cj8nA==,iv:FJUXcsJr8RsoEtw8Nk3aVzPHmJqeK7DtuvZrulf8yrI=,tag:37NE6etcm99LeDQIVh1u/g==,type:comment]
-    VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:1NDHCZfQwQ==,iv:elyfMMYD2Bctf0xgLHGQnAJGnKZdKy3CRAQ6yMzU6I4=,tag:tTBy1lkOYhZ8gXNBs2nt5w==,type:str]
-    OPENVPN_USER: ENC[AES256_GCM,data:tpvt2k2UJ+M1NAklrF0UTAeK9Z7kgKS1,iv:bDiTU7tXIK9k6bslmPZFZVARPPAuqdLcEGK3+eBVfTY=,tag:sevVKtUzwo0DgJOo5gxfHw==,type:str]
-    OPENVPN_PASSWORD: ENC[AES256_GCM,data:bH9OIvwI+3SMnYHY7qwHwPMEifQce/Y2,iv:Fag9Gc2LoazB91yjES4ypVB3g17WXrcUoqBfu/3KTQk=,tag:kFWcBu4H3JApSGVatZT+6A==,type:str]
-    SERVER_COUNTRIES: ENC[AES256_GCM,data:oyZUy/wH,iv:q/VULXV2PMVRbfGap22bgZsQth2IC653X5ZZHfeVmc0=,tag:Z3Dl1jcci3dxC3F4ruxZpQ==,type:str]
-    SERVER_CATEGORIES: ENC[AES256_GCM,data:BjNK,iv:ntZXVdqB5jn5Ry+VgR8a00JrJ110wY4rNhkVH08EXLE=,tag:BRL6Nl+p2KAAuMpJMOl7vA==,type:str]
-    VPN_INTERFACE: ENC[AES256_GCM,data:mBr96Q==,iv:h2/pCbKymTHd7BDZniDQdFWb2NkyMHmhYdei6qJdsRg=,tag:Qrp6b1yUKVz4iVUear59CA==,type:str]
-    #ENC[AES256_GCM,data:zWHtsN8M6uLA,iv:VYOvQMnJXTc4qzEIJOWtzPKZ8JpcKAniS/iNBIkEuJQ=,tag:mMmpkTMMvfEV1ePJvzPWEw==,type:comment]
-    FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT: ENC[AES256_GCM,data:iL9q,iv:D27dYOU6YYSewcBAc3PbFj4EJaR2g76yuaTHFvqoJT0=,tag:f0ot/D1OSyy1LybOaW7v6Q==,type:str]
-    FIREWALL_DEBUG: ENC[AES256_GCM,data:pnM=,iv:AR3mLavCb3dl+cg90mj1oh9xOulUEdp7P6t6ro3mBTk=,tag:91o5WVOU87xRPFEHrJqi9w==,type:str]
-    #ENC[AES256_GCM,data:IxdurA==,iv:IZbhb/NoB/bjj8vfSuroWpEX6nDWm0P9VatZTUqcR8M=,tag:BXXcbBOEQ/eT8c91yO1ImQ==,type:comment]
-    BLOCK_MALICIOUS: ENC[AES256_GCM,data:walS,iv:14oHbLGuhyRZZLYd9Ua5mY3Tw0sUcOGYDeV4EgSv+4w=,tag:qu9IVE007cg5ZmoISQL/5w==,type:str]
-    DOT: ENC[AES256_GCM,data:3pzX,iv:lE69Dwaods/ucF1Mrs2OKG3im+euIYkixR+B7ggT3o8=,tag:Ccuvc1rd39wtXgyZAnXpAQ==,type:str]
-    #ENC[AES256_GCM,data:6dAvqa/huZUlnKmCEwLv01YoDkU=,iv:O87dI8JGt6qEhAO8wFCG4c2C1IGHRJrGJfEl/15ap3g=,tag:7c9frBIvxyZS/JyiHg7uWQ==,type:comment]
-    DNS_ADDRESS: ENC[AES256_GCM,data:eObZXyNQY4HTYdcSOQ==,iv:WwG2auzVBB6xfY9pQalIKfWtCTfkofHq0R3BFMjD7Hc=,tag:br+ZrpvP8wdK7ClWb3/jJA==,type:str]
-    DNS_UPDATE_PERIOD: ENC[AES256_GCM,data:sVXQ,iv:R8HAIAxkKQkzKTq6euCyHBgn6RpEGb654/I7WaQa4fE=,tag:JNPmyiBQTb/JfECY79/JGw==,type:str]
+    #ENC[AES256_GCM,data:+kfM87645s/j2WpJcTbbfGHw,iv:h0GPqIvlcAxHJrMkm1mYzOz/QlP79rZF7vHydRW+vDE=,tag:FqFWgRWoJXXTbYBjfc/uYQ==,type:comment]
+    #ENC[AES256_GCM,data:DT4dWnqnkt2wNgMWj/8oxAMIuxRNf9PaMUtaC/Eh,iv:a5EZpogFwTtA1dmbPtTmRKXUPjpz49BBsSfSaDQtUDY=,tag:IRGhPMZ1Tdx8KZwtCHqGEw==,type:comment]
+    #ENC[AES256_GCM,data:oAc25tdTpXJzYGDzA/6SyGxZF40txapUZunbtF4P6dneFRpYpL/4,iv:67mlHMuFlF2aZ/utAI4tyrrsN75Kzv6HQLRViyxM2/Y=,tag:9Mw+/s3/vCmYHEVjn9+aGA==,type:comment]
+    #ENC[AES256_GCM,data:FmPYZrh4yN2Q3YyxscxQTUdcgDuDqs9/D3hCsL1CJcAIA1xskT9vxB/5uA==,iv:mBuxauE3XfkyicuhIFO3opIS0tY/h1AEyrH4qg0cP+g=,tag:q8WzLnNJK/s83YQGfOa4QQ==,type:comment]
+    SERVER_COUNTRIES: ENC[AES256_GCM,data:Gb1+5/UU,iv:AGvvoJggPVRWdRZci+HS8JbAcYkHb0zHjl3NQWVnc7Q=,tag:5FaYzYaJ16jOxU3g6zkwfw==,type:str]
+    SERVER_CATEGORIES: ENC[AES256_GCM,data:w3Ii,iv:GcVSMVaU+pja3/KdoM3zpDjXu4u2YPH3qqACvmSu7R0=,tag:/tAkhJNeMLVBX0jt/ybhaA==,type:str]
+    VPN_INTERFACE: ENC[AES256_GCM,data:X2bn,iv:rHbZGyt3tOKwMJa7tOzpiRfqvxjGcLgaWCnigq7IfZ4=,tag:mc32O5BopedHsGSF5KUzcQ==,type:str]
+    VPN_TYPE: ENC[AES256_GCM,data:k6xfZf0GodKb,iv:YuhLG0kPpYCfQQmKscMaSGnNHLUMHxreeFfQMhWdW+4=,tag:G0rZ9Jy1pArIfY6QyZVgiA==,type:str]
+    #ENC[AES256_GCM,data:ajDpx70gMswD,iv:7ZgD91wyvQu5LUjLhPqK0c2OXh5FmqL5zPcTYN6BqBg=,tag:2Mn7o3oJtkjfAioOmz4gfQ==,type:comment]
+    FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT: ENC[AES256_GCM,data:Hpfm,iv:v0GvRd87gbMU3FTUKqEEJYhKoENLXcbEmaxrx5S3ia8=,tag:PD+XNENwBx9C3IJbZ8tCNw==,type:str]
+    FIREWALL_DEBUG: ENC[AES256_GCM,data:YSQ=,iv:pb1BA7S5q82Aabp5753QlTw/Wfa6BYGqBK5228HY6ic=,tag:LQIPbIKxeVyreXekg51KUA==,type:str]
+    #ENC[AES256_GCM,data:+2Wfzg==,iv:20ezH8XUlva0dSvRHtFYPl8DzQfCY1xnkrgE8NAh6tQ=,tag:8BSfnLgRATfvD598krcfZg==,type:comment]
+    BLOCK_MALICIOUS: ENC[AES256_GCM,data:2ips,iv:ScCbjhDyzMvmACel+OYokcsNXjX+eLP5pzlzSEalmRo=,tag:Ax78eg96KwXU6P6Vgt2Qzg==,type:str]
+    DOT: ENC[AES256_GCM,data:5PP2,iv:58Ry9h3ju5DJ4RzV2x0te3UNmRxWARurh+BpKKut6L8=,tag:XnH46wpJqrsjG/5kfckwTQ==,type:str]
+    #ENC[AES256_GCM,data:FugieG4A7CjjsMbGLABPM41/htE=,iv:W49DawpbM0ZLo5o6F3Fo9LGQdBPrZ7Kt9br/3MLqDmg=,tag:GtuU+3ylGsm7ifSG+o/QxQ==,type:comment]
+    DNS_ADDRESS: ENC[AES256_GCM,data:aiS615U17Q9PnR/9AQ==,iv:ukMbjzxROd6vpFEDjfPKowaYrMJN5C/h5c2y9Bbgyes=,tag:9yiXci3qwbNlwLiDWm5+GQ==,type:str]
+    VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:OfJkXIapVA==,iv:YUV7PJcXiWZu3xZzR2B3phe5QdNUzbLkv+6oobqAX/g=,tag:mngDjn3XF8d2cTenZkvd4g==,type:str]
+    WIREGUARD_PRIVATE_KEY: ENC[AES256_GCM,data:OHFLYjCOagPY7Rvm+tdYanINdrLlMVGEPwOv2OC75qT+Jxb8dIAtpxM/PnU=,iv:IaYgfqE86LgOIBr8ntrpbUUXWPwPH4hNe9k+2wL4noI=,tag:CF8iSK8Pz01t7q9Hg2B7LQ==,type:str]
+    WIREGUARD_DNS: ENC[AES256_GCM,data:+2/sgrFM2FhW7Xc5jA==,iv:66RJ8bpXA8E5jM0CpNEj5OeBQej7ZaUCeKPpnvfyISA=,tag:mOE4Vu0dluAvadUvcK0GRw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -29,14 +32,14 @@ sops:
         - recipient: age1w02zzfg0y4ast9mgnd9w0yuym0wqx6q967kmrmq355w4cnw0xytq2x369r
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0NXR1Vk5NNFJRVVFKdVVr
-            NnFNT0ViYmRURXJoMnl2V1czSFBnYkpvaGhjCnRpd0diU1E3dzczRnpac0xzOWxC
-            VDk0c25VMWU0SlJJK1ptOWhFVUxhSkEKLS0tIEpZWm0vcWVuNVFyTzFUSnlhNVNk
-            elhpNTVTT2JGMU93NEsxUkhMTmVqd2sKdnm/tgyDSiK192IXLfjbiTVvd9MUR8om
-            5gwC7fdjDat+69tpSxFeFdBssSlny72m8zvLhOACCGXggV6mNcbqtQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0eERDeDF6aGw0cElCNzIy
+            ejU4UTFRTlV3Sldhb0tyNTdvSmZEOHVFbjJnCnp3UmUxelgwN2pSdElZRE1xeTRW
+            emk2NUVqTkJISHhYakV0YmxLOEFXaDAKLS0tIEtLTXpFSVRXRFpWNEtTajJqdVY0
+            Y2N6RXd2UkQweVlDbU0vZmVXTmVMZkUKNWQxBG32e2ZngeTczz/556ZTElfG62M8
+            ujEeH5hKYfDUMKTEItfxgtsy3NwlVCEkvoo8Kf/H6BDuXdKMJW5bpg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-23T22:59:39Z"
-    mac: ENC[AES256_GCM,data:/7OThln1M5TXa+A+6eIxKvPvqusQCZbegWzkrfygTYC7a2r3VCiDgk+gIVwv+EBUbwzhwGCZyz/tMTQIuj4/VdRvfWWE5MP+aXv5Rsg1FP6bJ5VbfKwWSS1r+X7H4TvsJQzna7LPE2yTwMPd0mTbMxr8SLGJ1x/5FbdGdJXotGE=,iv:rvLzCYAVfFwF23++pxNYUuf9+OxWxv7vqHVe57L9PMA=,tag:DiGqZPZ7bBzkTEewdP5ZGQ==,type:str]
+    lastmodified: "2024-11-26T23:54:39Z"
+    mac: ENC[AES256_GCM,data:e0b4yT3j15RjYfkn6lZ5tm7ACO+HutLWWvG3xSt8xxjcyqT7e2HeX6FMcIMzIsZ8ynyUbT39EvRqxXss7D5cJ2rvaFfPK4D72a603K7KmG+nHMUxHEjrcgxqDnvU3WaIPgcbxYvILI5lGSLpMC2yai2BSMgm5RbiD4/H3tF6CF0=,iv:BF3C1bR+4FbL02nZEKFNxWR09PfroBd2tLt2SGKZr/E=,tag:fVeSWlKk14VoJvvRQtV5GA==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.9.0