Let’s assume you want to deploy a cluster of machines on Hetzer Cloud. For simplicity let’s call them
worker3. They need to communicate with a server called
master, which will be running on different account then the workers. Ideally, the whole setup should not be open to the internet. Unfortunately, Hetzner supports only private networks within the same account.
To make it work, you can setup your own VPN using WireGuard. Conceptually, it is not hard. You need to setup three connections (between the
master and each
worker). The tricky part is how to automate the key exchange. Ideally, it should not be more work if you deploy additional workers (e.g. 100 instead 3 workers).
Setting up such a VPN cluster sounds like a common problem, but I cannot find any recommendations on how to setup
n-to-m connections, only tutorials on how to peer two machines. I’m thinking of automating the key exchange with Ansible (generate keys, gather them, install them on the
master), but wanted to check first whether there is an easier solution to the problem that I missed.
In SSH, workers could share their key, which would simplify the problem. In WireGuard, keys cannot be shared, as far as I understood. How would you automate the setup of a VPN with WireGuard, so each worker can reach the master? Or is WireGuard the wrong choice for the problem?
- In my scenario, it is not possible to move the workers and master to the same account; otherwise, Hetzner networks would be the straightforward solution for setting up a private network.
- If you are not familiar with Hetzner Cloud, it is not a problem. You can assume that you get normal Linux machines, but then you are on your own (it does not support VPC peering across accounts as AWS does). Yet you can use all Linux tools available for creating the VPN setup. WireGuard would be my first choice, but I’m open to other techniques.
Go to Source
Author: Philipp Claßen