Some Wireguard Questions

[scolby33]

I am setting up a new cluster and have some questions about Wireguard networking in a few different areas. At the moment, I have two nodes, both existing on the same layer 2 network and connected via a switch.

1. I would like the nodes to communicate as much as possible (entirely?) via Wireguard. Is this as simple as enabling KubeSpan? If the nodes are on the same layer 2 network, which interface will they prefer?
2. Sub-question from above: what is the relationship between KubeSpan and the Wireguard configured with --wireguard-cidr and documented here? I can't tell what this functionality is for.
3. I would like to communicate with the Talos and Kubernetes API's via a "management" Wireguard network. (Particularly for when I am away, but it would be neat if this were also a requirement for local access.) Is this possible? I imagine the answer is something along the lines of configuring a Wireguard interface and setting up firewall rules, but how would this effect the cluster endpoint value I set in my talosctl gen config invocation?
4. (Stretch goal question, since this probably requires some dark network magic and isn't really a Talos-specific question): I would like to communicate with the services running in my cluster via a "client" Wireguard network. Like above, it would be neat if they could only be accessed via the VPN. Ideally I could configure MetalLB to hand out IP's in a Wireguard subnet, but I think this runs in to issues with determining how the traffic is routed to the proper node. Does anyone have any thoughts on this?

[smira]

I would like the nodes to communicate as much as possible (entirely?) via Wireguard. Is this as simple as enabling KubeSpan? If the nodes are on the same layer 2 network, which interface will they prefer?

Yes, just enable KubeSpan. You can control which endpoints are announced from each node, this way you can limit KubeSpan communication to a specific network. But by default KubeSpan will pick whatever the first path that works between nodes.

Sub-question from above: what is the relationship between KubeSpan and the Wireguard configured with --wireguard-cidr and documented here? I can't tell what this functionality is for.

No connection - KubeSpan is all automatic, just enable it and it works. Manual Wireguard is also something you can do, but you have to do all configuration yourself.

I would like to communicate with the Talos and Kubernetes API's via a "management" Wireguard network. (Particularly for when I am away, but it would be neat if this were also a requirement for local access.) Is this possible? I imagine the answer is something along the lines of configuring a Wireguard interface and setting up firewall rules, but how would this effect the cluster endpoint value I set in my talosctl gen config invocation?

KubeSpan is designed to handle only in-cluster communication. Providing access to the cluster from external locations is not handled by KubeSpan. You can try Tailscale for that which is available in Talos extensions repository.

But you can also look into Omni which offers what you're looking for and much more, including your last question about access to services.