● WireGuard · eBPF · Kubernetes

vpblu

In-kernel encrypted mesh for Kubernetes.
with eBPF pod traffic steering into secure VPN tunnels

Install in one command

$ helm install vpblu oci://ghcr.io/lumbrjx/charts/encrypted-vpblu -n vpblu-system --create-namespace

add --set policies.install=true and the mesh forms in seconds — no repo, no build.

Why vpblu
A fast kernel data plane, a rich control plane
🔒

In-kernel encryption

One WireGuard tunnel per node-pair. Crypto runs in the kernel module; private keys never leave the node, never hit the wire.

eBPF steering

tc programs classify, block and steer pod packets by reading maps. Policy is data — never baked into the BPF.

🛰️

Event-driven control

A leader-elected controller watches CRDs via informers and pushes targeted commands over warm gRPC — snapshot+resync for correctness.

🔁

Zero-downtime rotation

A cron-driven four-phase overlapping key rotation swaps WireGuard keys without dropping a single packet.

📦

Helm + GHCR

One chart installs CRDs, RBAC, the controller and the per-node DaemonSet. Images are pulled from GHCR — you never build.

📊

Web & TUI dashboards

A built-in web dashboard (with login) plus a kubectl-style meshtop show nodes, tunnels, handshakes and rotation live.

Architecture
Control plane decides · kernel enforces

Userspace decides what should be true; the kernel makes it true at packet rate. The only bridge is the daemon writing eBPF maps and configuring WireGuard via netlink.

Controller · Deployment informers on CRDs → computeNodeDesiredState leader-elected · warm gRPC · key-rotation cron warm gRPC stream warm gRPC stream Daemon · node 1 userspace WireGuard (netlink) · keys · peers eBPF tc programs + maps (kernel) Daemon · node 2 userspace WireGuard (netlink) · keys · peers eBPF tc programs + maps (kernel) WireGuard tunnel · UDP/51820 · encrypted node-IP ↔ node-IP — no cleartext pod traffic on the wire
Data path
From pod packet to encrypted tunnel
pod packet on a host veth eBPF classify block? remote? mark ip rule → wg-mesh fwmark routing WireGuard encrypt → UDP to the peer node, in-kernel
Get going
Four steps to an encrypted mesh
01

Install

One Helm command pulls the images from GHCR and deploys the controller + per-node daemon.

02

Apply a policy

A TunnelPolicy{mode:FullMesh} and every node peers every other in seconds.

03

Verify

wg show lists peers; tcpdump shows only encrypted UDP/51820 on the wire.

04

Watch

Open the web dashboard (login) or run meshtop for a live terminal view.