I have a pod that runs WireGuard, IPv4 forwarding is enabled in that pod, thus all packets sent from WireGuard clients are routable to the other pods.
WireGuard client -> WG-NIC inside WireGuard pod --- routing table ---> eth0 (the interface managed by Calico) -> other pods.
The issue is, the packets that arrives to WG NIC and then routed to the other pods always have the IP of the eth0 of the WireGuard pod and not the real IP of WireGuard client.
I am not sure what is exactly happening here and why Kubernetes/Calico is changing the source IP of the packets sent by WireGuard client.
I am aware of Kubernetes Source IP nating, but here, I am not getting anything through the proxy, but directly to the pod, thus I don't understand what is happending.
Can I make Kubernetes/Calico not change the source IP and preserve the IP of WireGuard clients?
Here is the ip addr and ip route of my WireGuard pod:
/app # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
4: eth0@if33: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1430 qdisc noqueue state UP
link/ether d2:66:c9:1b:45:89 brd ff:ff:ff:ff:ff:ff
inet 10.244.171.24/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::d066:c9ff:fe1b:4589/64 scope link
valid_lft forever preferred_lft forever
5: wg-firezone: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN qlen 1000
link/[65534]
inet 10.5.0.1/32 scope global wg-firezone
valid_lft forever preferred_lft forever
inet6 fd00::3:2:1/128 scope global
valid_lft forever preferred_lft forever
/app # ip route
default via 169.254.1.1 dev eth0
10.5.0.0/24 dev wg-firezone scope link
169.254.1.1 dev eth0 scope link
/app #
The iptables is totally clean and empty.
