RnD/infra
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4117ec60636b821e3ef729ed085df110e7c70f21
infra/stacks/wireguard-client/README.md

10 lines
580 B
Markdown
Raw Normal View History

scaffold: hub-and-spoke layout, 4-network topology, 13 stack stubs Initial structure for R&D infrastructure: - stacks/ — 13 reusable, runnable stack stubs (kebab-case) cloud-and-edge: node-red, influxdb, grafana, keycloak, portainer, nginx-proxy, mqtt, postfix cloud-only: wireguard-server, gitea, jenkins, sql (postgres stub) edge-only: wireguard-client - cloud/ — single central hub composition with 4 networks (edge, app, data internal, mgmt) and include: stubs - sites/ — per-plant edge folders (template README only for now) - docs/architecture.md — hub-and-spoke + ingress + segmentation rationale Network model: only nginx-proxy (80/443/8883) and wireguard-server (51820/udp) publish ports on the cloud host. Edge nginx publishes 80/443 on plant-LAN interface only. MQTT cloud-side via nginx stream proxy; MQTT edge-side internal-only; Postfix outbound-only. OT layer (OPCUA, PLCs) is out of scope for this repo. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 12:37:59 +02:00
# wireguard-client
VPN client running at each edge. **Edge-only stack.**
- **Networks**: `app` + `mgmt` (so other edge containers can route through the tunnel)
- **No published port** — initiates outbound to the cloud `wireguard-server` on `udp/51820`
- **Config**: `config/wg0.conf` (per-site, contains the site's private key + cloud peer pubkey + AllowedIPs)
- **Routing**: edge containers reach cloud-side services by routing destined-for-cloud-subnet traffic via this client
- **TODO**: routing strategy (split-tunnel vs full), keepalive interval, MTU tuning per WAN type
Reference in New Issue Copy Permalink