where to get wireguard kernel with k3s ubuntu 20.04

[matti]

error: Module wireguard not found in directory /lib/modules/5.4.43

$ ignite run weaveworks/ignite-ubuntu:20.04-amd64 --kernel-image weaveworks/ignite-kernel:5.4.43 --cpus 32 --ssh --memory 4GB --size 10GB --ssh

$ apt install wireguard
Reading package lists... Done
Building dependency tree
Reading state information... Done
wireguard is already the newest version (1.0.20200513-1~20.04.2).

$ curl -sfL https://get.k3s.io | K3S_URL=https://master:6443 K3S_TOKEN=token  sh -

$ journalctl -f -u k3s-agent

failed to run command: export SUBNET_IP=$(echo $SUBNET | cut -d'/' -f 1); ip link del flannel.1 2>/dev/null; echo $PATH >&2; wg-add.sh flannel.1 && wg set flannel.1 listen-port 51820 private-key privatekey && ip addr add $SUBNET_IP/32 dev flannel.1 && ip link set flannel.1 up && ip route add $NETWORK dev flannel.1 Err: exit status 1 Output: /var/lib/rancher/k3s/data/986d5e8cf570f904598f9a5d531da2430e5a6171d22b7addb1e4a7c5b87a47d0/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/rancher/k3s/data/986d5e8cf570f904598f9a5d531da2430e5a6171d22b7addb1e4a7c5b87a47d0/bin/aux\nmodprobe: FATAL: Module wireguard not found in directory /lib/modules/5.4.43\nError: Unknown device type.\n/var/lib/rancher/k3s/data/986d5e8cf570f904598f9a5d531da2430e5a6171d22b7addb1e4a7c5b87a47d0/bin/aux/wg-add.sh: line 26: boringtun: command not found\n/var/lib/rancher/k3s/data/986d5e8cf570f904598f9a5d531da2430e5a6171d22b7addb1e4a7c5b87a47d0/bin/aux/wg-add.sh: line 29: boringtun: command not found\n/var/lib/rancher/k3s/data/986d5e8cf570f904598f9a5d531da2430e5a6171d22b7addb1e4a7c5b87a47d0/bin/aux/wg-add.sh: line 32: wireguard-go: command not found"

[matti]

where are these weaveworks/ignite-kernel (last push 7 months ago) built, where is the dockerfile?

$ docker create --name kakka weaveworks/ignite-kernel:5.4.43 sh
$ docker export kakka | tar t
.dockerenv
boot/
boot/config-5.4.43
boot/vmlinux
boot/vmlinux-5.4.43
dev/
dev/console
dev/pts/
dev/shm/
etc/
etc/hostname
etc/hosts
etc/mtab
etc/resolv.conf
lib/
lib/modules/
lib/modules/5.4.43/
lib/modules/5.4.43/build
lib/modules/5.4.43/kernel/
lib/modules/5.4.43/kernel/arch/
lib/modules/5.4.43/kernel/arch/x86/
lib/modules/5.4.43/kernel/arch/x86/crypto/
lib/modules/5.4.43/kernel/arch/x86/crypto/aesni-intel.ko
lib/modules/5.4.43/kernel/arch/x86/crypto/blowfish-x86_64.ko
...

[stealthybox]

@matti This is an awesome use-case!
The kernel builds run within docker containers and are pretty quick:
https://github.com/weaveworks/ignite/tree/master/images/kernel

You'll want to add your CONFIG_ options to the config-patches file.
The Makefile patches these options for a matrix of configs, so the build is a bit unorthodox.
Check out the README for more info.

You can set the KERNEL_VERSIONS env var to build just 1 specific like we do to split out the release builds:
https://github.com/weaveworks/ignite/blob/master/.github/workflows/release-kernel-images.yml#L18

Please post back if you need more help or get things working :)

[gaby]

@matti Now that Kernel 5.10.x has been added, can you try this with --kernel-image weaveworks/ignite-kernel:5.10.21 ? It's my understanding that Kernel 5.6.x is the one that introduced Wireguard.

[MikePadge]

It looks like the problem might be when trying to create the wireguard interface @gaby I added the 5.10 kernel, but if you go to manually create a wireguard interface (or really any ip link interface it looks like)

ip link add dev wg0 type wireguard

Error: Unknown device type.

I've seen this type of error before with wireguard when missing kernel headers in debian, but even adding the headers does not seem to help in this case.

apt search linux-headers-$(uname -r)
Sorting... Done
Full Text Search... Done

apt cache search for the headers only returns the following headers for 5.10

apt install linux-headers-5.10.0-1008-oem

Setting up linux-headers-5.10.0-1008-oem (5.10.0-1008.9) ...
/etc/kernel/header_postinst.d/dkms:
 * dkms: running auto installation service for kernel 5.10.0-1008-oem
Error!  The /var/lib/dkms/wireguard/1.0.20201112/5.10.0-1008-oem/x86_64/dkms.conf for module wireguard includes a BUILD_EXCLUSIVE directive which
does not match this kernel/arch.  This indicates that it should not be built.

ignite run weaveworks/ignite-ubuntu:20.04-amd64 --kernel-image weaveworks/ignite-kernel:5.4.43
Appears to suffer from the same problem, but I might have just installed the wrong headers?

[stealthybox]

Perhaps we need to enable WIREGUARD in the kernel build:

sudo ignite run --ssh weaveworks/ignite-k3s \
  --name test-kernel --kernel-image weaveworks/ignite-kernel:5.10.21

sudo ignite exec test-kernel zgrep WIREGUARD /proc/config.gz
# CONFIG_WIREGUARD is not set

[stealthybox]

See the README for https://github.com/weaveworks/ignite/blob/main/images/kernel.
This is the relevant config patch file: https://github.com/weaveworks/ignite/blob/main/images/kernel/config-patches

example patch: #497

[stealthybox]

I know sometimes building a kernel can sound intimidating.
The kernel build is containerized and very repeatable, so you should be able to make your own and test.
If you need help doing this, please say so!

@darkowlzz and I would certainly be comfortable adding wireguard to the kernel build.
This is very in-line with other k8s related networking primitives like VXLAN.

[stealthybox]

The Gentoo guide mentions this:

Kernel 5.6 and higher
Starting with kernel 5.6, Wireguard is included in the upstream kernel sources. It is enabled via the following menuconfig option:

KERNEL Enable CONFIG_WIREGUARD
Device Drivers  --->
    [*] Network device support  --->
        [*] Network core driver support
        <*>   WireGuard secure network tunnel

gentoo-source: https://wiki.gentoo.org/wiki/Wireguard

[MikePadge]

I made changes in https://github.com/weaveworks/ignite/blob/main/images/kernel/config-patches to add what looks to be the only missing config option from what https://wiki.gentoo.org/wiki/Wireguard lists as needed for wireguard post 5.6.

config-patches
...

# Enable support for Wireguard
CONFIG_WIREGUARD=y

Then rebuilt the docker kernel image, and ran into the issue of ignite not wanting to pull that docker image and trying to match whatever's on quay I guess.

The output of my builds

REPOSITORY                             TAG              IMAGE ID       CREATED         SIZE
weaveworks/ignite-kernel               5.10.25-amd64    c79f9a84fc50   2 hours ago     72.9MBG

ignite run --config debnonet.yaml --kernel-image weaveworks/ignite-kernel:5.10.25-amd64
Running the above tries to pull that kernel image in remotely, even if I use the local Image ID, so I just renamed the kernel image, pulled it into my local container repository with no creds, and re-ran the vm run

ignite run --config debnonet.yaml --kernel-image local/ignite-kernel:latest
and this appears to pull in my custom kernel
ignite ps
72071756ab904b51 weaveworks/ignite-ubuntu:latest local/ignite-kernel:latest 8.0 GB 2 1024.0 MB 25m ago Up 25m 10.50.61.12 0.0.0.0:2222->22/tcp test-kernel
but

zgrep WIREGUARD /proc/config.gz
# CONFIG_WIREGUARD is not set

Here is the debnonet.yaml

apiVersion: ignite.weave.works/v1alpha3
kind: VM
metadata:
  name: test-kernel
spec:
  image:
    oci: weaveworks/ignite-ubuntu
  cpus: 2
  diskSize: 8GB 
  memory: 1024MB
  network:
    ports:
    - hostPort: 2222
      vmPort: 22
      protocol: tcp 
  ssh: "/home/local.pub"

So even after adding CONFIG_WIREGUARD=y to config-patches, and building the docker kernel image, I think I missed something and somehow didn't build the image with my config option added.

I'll have a fresh look at it in the morning, I probably glossed over something in the Makefile.

[jhult]

Any updates on this?

[stealthybox]

@MikePadge sorry for the late response

probably glossed over something in the Makefile.

The kernel-config and kernel builds definitely had some confusing structure.
@darkowlzz and I recently just refactored it and made it possible to run single versions.

Specifically, when you update config-patches, you need to run make upgrade for all the supported kernel versions or at least run the specific ones you intend to build: make upgrade-${KERNEL_VERSION}.
This will patch the kernel config for that version of the linux kernel tree and enable any dependencies.

Adding CONFIG_WIREGUARD=y and running make upgrade-5.14.16 results in a good number of additional features being automatically enabled in the kernel config. (tunnelling + cryptographic algos)

Here is the patch for 5.14.16 x86 and ARM:

diff --git images/kernel/config-patches images/kernel/config-patches
index e73e292a..dd3dff40 100644
--- images/kernel/config-patches
+++ images/kernel/config-patches
@@ -1,5 +1,9 @@
 # In this file, the recipe for patching all kernel configs (all versions & architectures) is
 
+# Enable wireguard
+# https://github.com/weaveworks/ignite/issues/768
+CONFIG_WIREGUARD=y
+
 # Enable bonding/teaming
 CONFIG_BONDING=y
 CONFIG_NET_TEAM=y
diff --git images/kernel/generated/config-amd64-5.14.16 images/kernel/generated/config-amd64-5.14.16
index 91e5aab6..aaff5cc5 100644
--- images/kernel/generated/config-amd64-5.14.16
+++ images/kernel/generated/config-amd64-5.14.16
@@ -953,7 +953,7 @@ CONFIG_IP_PNP_BOOTP=y
 CONFIG_IP_PNP_RARP=y
 CONFIG_NET_IPIP=m
 CONFIG_NET_IPGRE_DEMUX=m
-CONFIG_NET_IP_TUNNEL=m
+CONFIG_NET_IP_TUNNEL=y
 CONFIG_NET_IPGRE=m
 CONFIG_NET_IPGRE_BROADCAST=y
 CONFIG_IP_MROUTE_COMMON=y
@@ -963,7 +963,7 @@ CONFIG_IP_PIMSM_V1=y
 CONFIG_IP_PIMSM_V2=y
 CONFIG_SYN_COOKIES=y
 CONFIG_NET_IPVTI=m
-CONFIG_NET_UDP_TUNNEL=m
+CONFIG_NET_UDP_TUNNEL=y
 CONFIG_NET_FOU=m
 CONFIG_NET_FOU_IP_TUNNELS=y
 CONFIG_INET_AH=m
@@ -1822,7 +1822,8 @@ CONFIG_NETDEVICES=y
 CONFIG_NET_CORE=y
 CONFIG_BONDING=y
 CONFIG_DUMMY=y
-# CONFIG_WIREGUARD is not set
+CONFIG_WIREGUARD=y
+# CONFIG_WIREGUARD_DEBUG is not set
 # CONFIG_EQUALIZER is not set
 # CONFIG_IFB is not set
 CONFIG_NET_TEAM=y
@@ -3181,6 +3182,7 @@ CONFIG_IO_WQ=y
 CONFIG_KEYS=y
 # CONFIG_KEYS_REQUEST_CACHE is not set
 CONFIG_PERSISTENT_KEYRINGS=y
+# CONFIG_BIG_KEYS is not set
 CONFIG_ENCRYPTED_KEYS=y
 # CONFIG_KEY_DH_OPERATIONS is not set
 # CONFIG_SECURITY_DMESG_RESTRICT is not set
@@ -3281,7 +3283,7 @@ CONFIG_CRYPTO_ECDH=y
 # CONFIG_CRYPTO_ECRDSA is not set
 # CONFIG_CRYPTO_SM2 is not set
 # CONFIG_CRYPTO_CURVE25519 is not set
-# CONFIG_CRYPTO_CURVE25519_X86 is not set
+CONFIG_CRYPTO_CURVE25519_X86=y
 
 #
 # Authenticated Encryption with Associated Data
@@ -3330,12 +3332,12 @@ CONFIG_CRYPTO_CRC32_PCLMUL=m
 CONFIG_CRYPTO_XXHASH=m
 CONFIG_CRYPTO_BLAKE2B=m
 # CONFIG_CRYPTO_BLAKE2S is not set
-# CONFIG_CRYPTO_BLAKE2S_X86 is not set
+CONFIG_CRYPTO_BLAKE2S_X86=y
 CONFIG_CRYPTO_CRCT10DIF=y
 CONFIG_CRYPTO_CRCT10DIF_PCLMUL=y
 CONFIG_CRYPTO_GHASH=m
 CONFIG_CRYPTO_POLY1305=m
-CONFIG_CRYPTO_POLY1305_X86_64=m
+CONFIG_CRYPTO_POLY1305_X86_64=y
 CONFIG_CRYPTO_MD4=m
 CONFIG_CRYPTO_MD5=y
 CONFIG_CRYPTO_MICHAEL_MIC=m
@@ -3377,7 +3379,7 @@ CONFIG_CRYPTO_DES3_EDE_X86_64=m
 CONFIG_CRYPTO_FCRYPT=m
 CONFIG_CRYPTO_KHAZAD=m
 CONFIG_CRYPTO_CHACHA20=m
-CONFIG_CRYPTO_CHACHA20_X86_64=m
+CONFIG_CRYPTO_CHACHA20_X86_64=y
 CONFIG_CRYPTO_SEED=m
 CONFIG_CRYPTO_SERPENT=m
 CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m
@@ -3426,17 +3428,21 @@ CONFIG_CRYPTO_HASH_INFO=y
 #
 CONFIG_CRYPTO_LIB_AES=y
 CONFIG_CRYPTO_LIB_ARC4=m
-# CONFIG_CRYPTO_LIB_BLAKE2S is not set
-CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=m
-CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m
-# CONFIG_CRYPTO_LIB_CHACHA is not set
-# CONFIG_CRYPTO_LIB_CURVE25519 is not set
+CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S=y
+CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y
+CONFIG_CRYPTO_LIB_BLAKE2S=y
+CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=y
+CONFIG_CRYPTO_LIB_CHACHA_GENERIC=y
+CONFIG_CRYPTO_LIB_CHACHA=y
+CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519=y
+CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=y
+CONFIG_CRYPTO_LIB_CURVE25519=y
 CONFIG_CRYPTO_LIB_DES=m
 CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11
-CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=m
-CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m
-# CONFIG_CRYPTO_LIB_POLY1305 is not set
-# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set
+CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=y
+CONFIG_CRYPTO_LIB_POLY1305_GENERIC=y
+CONFIG_CRYPTO_LIB_POLY1305=y
+CONFIG_CRYPTO_LIB_CHACHA20POLY1305=y
 CONFIG_CRYPTO_LIB_SHA256=y
 # CONFIG_CRYPTO_HW is not set
 CONFIG_ASYMMETRIC_KEY_TYPE=y
diff --git images/kernel/generated/config-arm64-5.14.16 images/kernel/generated/config-arm64-5.14.16
index 396e8592..f748ff43 100644
--- images/kernel/generated/config-arm64-5.14.16
+++ images/kernel/generated/config-arm64-5.14.16
@@ -580,7 +580,26 @@ CONFIG_ARM_SMCCC_SOC_ID=y
 CONFIG_ARCH_SUPPORTS_ACPI=y
 # CONFIG_ACPI is not set
 # CONFIG_VIRTUALIZATION is not set
-# CONFIG_ARM64_CRYPTO is not set
+CONFIG_ARM64_CRYPTO=y
+# CONFIG_CRYPTO_SHA256_ARM64 is not set
+# CONFIG_CRYPTO_SHA512_ARM64 is not set
+# CONFIG_CRYPTO_SHA1_ARM64_CE is not set
+# CONFIG_CRYPTO_SHA2_ARM64_CE is not set
+# CONFIG_CRYPTO_SHA512_ARM64_CE is not set
+# CONFIG_CRYPTO_SHA3_ARM64 is not set
+# CONFIG_CRYPTO_SM3_ARM64_CE is not set
+# CONFIG_CRYPTO_SM4_ARM64_CE is not set
+# CONFIG_CRYPTO_GHASH_ARM64_CE is not set
+# CONFIG_CRYPTO_CRCT10DIF_ARM64_CE is not set
+# CONFIG_CRYPTO_AES_ARM64 is not set
+# CONFIG_CRYPTO_AES_ARM64_CE is not set
+# CONFIG_CRYPTO_AES_ARM64_CE_CCM is not set
+# CONFIG_CRYPTO_AES_ARM64_CE_BLK is not set
+# CONFIG_CRYPTO_AES_ARM64_NEON_BLK is not set
+CONFIG_CRYPTO_CHACHA20_NEON=y
+CONFIG_CRYPTO_POLY1305_NEON=y
+# CONFIG_CRYPTO_NHPOLY1305_NEON is not set
+# CONFIG_CRYPTO_AES_ARM64_BS is not set
 
 #
 # General architecture-dependent options
@@ -948,7 +967,7 @@ CONFIG_IP_PNP_BOOTP=y
 CONFIG_IP_PNP_RARP=y
 CONFIG_NET_IPIP=m
 CONFIG_NET_IPGRE_DEMUX=m
-CONFIG_NET_IP_TUNNEL=m
+CONFIG_NET_IP_TUNNEL=y
 CONFIG_NET_IPGRE=m
 CONFIG_NET_IPGRE_BROADCAST=y
 CONFIG_IP_MROUTE_COMMON=y
@@ -958,7 +977,7 @@ CONFIG_IP_PIMSM_V1=y
 CONFIG_IP_PIMSM_V2=y
 CONFIG_SYN_COOKIES=y
 CONFIG_NET_IPVTI=m
-CONFIG_NET_UDP_TUNNEL=m
+CONFIG_NET_UDP_TUNNEL=y
 CONFIG_NET_FOU=m
 CONFIG_NET_FOU_IP_TUNNELS=y
 CONFIG_INET_AH=m
@@ -1824,7 +1843,8 @@ CONFIG_NETDEVICES=y
 CONFIG_NET_CORE=y
 CONFIG_BONDING=y
 CONFIG_DUMMY=y
-# CONFIG_WIREGUARD is not set
+CONFIG_WIREGUARD=y
+# CONFIG_WIREGUARD_DEBUG is not set
 # CONFIG_EQUALIZER is not set
 # CONFIG_IFB is not set
 CONFIG_NET_TEAM=y
@@ -3364,6 +3384,7 @@ CONFIG_IO_WQ=y
 CONFIG_KEYS=y
 # CONFIG_KEYS_REQUEST_CACHE is not set
 CONFIG_PERSISTENT_KEYRINGS=y
+# CONFIG_BIG_KEYS is not set
 CONFIG_ENCRYPTED_KEYS=y
 # CONFIG_KEY_DH_OPERATIONS is not set
 # CONFIG_SECURITY_DMESG_RESTRICT is not set
@@ -3580,15 +3601,19 @@ CONFIG_CRYPTO_HASH_INFO=y
 #
 CONFIG_CRYPTO_LIB_AES=y
 CONFIG_CRYPTO_LIB_ARC4=m
-# CONFIG_CRYPTO_LIB_BLAKE2S is not set
-CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m
-# CONFIG_CRYPTO_LIB_CHACHA is not set
-# CONFIG_CRYPTO_LIB_CURVE25519 is not set
+CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y
+CONFIG_CRYPTO_LIB_BLAKE2S=y
+CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=y
+CONFIG_CRYPTO_LIB_CHACHA_GENERIC=y
+CONFIG_CRYPTO_LIB_CHACHA=y
+CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=y
+CONFIG_CRYPTO_LIB_CURVE25519=y
 CONFIG_CRYPTO_LIB_DES=m
 CONFIG_CRYPTO_LIB_POLY1305_RSIZE=9
+CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=y
 CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m
-# CONFIG_CRYPTO_LIB_POLY1305 is not set
-# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set
+CONFIG_CRYPTO_LIB_POLY1305=y
+CONFIG_CRYPTO_LIB_CHACHA20POLY1305=y
 CONFIG_CRYPTO_LIB_SHA256=y
 # CONFIG_CRYPTO_HW is not set
 CONFIG_ASYMMETRIC_KEY_TYPE=y

[stealthybox]

Made a personal branch to patch all the versions:
branch: https://github.com/stealthybox/ignite/tree/wg-kernels (merged and deleted now)
commit: stealthybox@b651012

Only the 5.10 and 5.14 kernels have any changes when this is patched in.
Need to verify if unknown options affect the lower version kernel-config builds negatively in any way.

Talked to @darkowlzz about some test plans.

[darkowlzz]

Hi, here's some update about wireguard support in ignite kernel and the results of my testing.
I built the 5.10 kernel from @stealthybox's branch mentioned above for both amd64 and arm64.

• darkowlzz/ignite-kernel:5.10.77-amd64-wg
• darkowlzz/ignite-kernel:5.10.77-arm64-wg

I followed the demo from https://www.wireguard.com/quickstart/ to test it out in two ignite VMs.

On trying the demo instructions with a normal ignite-kernel, without wireguard in kernel support, it failed to add a new wireguard interface:

# ip link add wg0 type wireguard
Error: Unknown device type.

Created two new VMs using the new kernel and weaveworks/ignite-ubuntu:latest OS image.

# ignite run weaveworks/ignite-ubuntu --name my-vm1 --ssh --kernel-image darkowlzz/ignite-kernel:5.10.77-amd64-wg
# ignite run weaveworks/ignite-ubuntu --name my-vm2 --ssh --kernel-image darkowlzz/ignite-kernel:5.10.77-amd64-wg

Installed wireguard in them using apt install wireguard and followed the demo in the video.

The machines added each other as peers and were able to ping one another.

VM 1:

root@bc76d5641c509978:~# wg
interface: wg0
  public key: 1pU23TWPn2XWhDfBfGsp6Qi9tqRlvQezy344uKbunic=
  private key: (hidden)
  listening port: 48949

peer: DXTGe2wN9SOvo6gzmwq86R0lRcudIbcnx491sCV7GyI=
  endpoint: 10.61.0.13:44989
  allowed ips: 10.0.0.2/32
  latest handshake: 10 seconds ago
  transfer: 916 B received, 4.45 KiB sent

VM 2:

root@1b4c0835855bc616:~# wg
interface: wg0
  public key: DXTGe2wN9SOvo6gzmwq86R0lRcudIbcnx491sCV7GyI=
  private key: (hidden)
  listening port: 44989

peer: 1pU23TWPn2XWhDfBfGsp6Qi9tqRlvQezy344uKbunic=
  endpoint: 10.61.0.14:48949
  allowed ips: 10.0.0.1/32
  latest handshake: 12 seconds ago
  transfer: 860 B received, 4.65 KiB sent

NOTE: Need to be careful with the ports. Based on the demo video, both the machines were listening on the same port. But when I tried the same commands, they were listening on two different ports and I had to change my set peer commands accordingly.

Tested the same on arm64, raspberrypi-4, as well.

[darkowlzz]

#884 added support for wireguard in kernel 5.10 and 5.14, thanks to @stealthybox .
The kernel images are now available to use:

• weaveworks/ignite-kernel:5.10.77
• weaveworks/ignite-kernel:5.14.16

Using any ignite OS image with these kernel images should now have wireguard support.

Closing this issue for now. Please open another issue for further discussions around it.