[Networking] wireguard-go embedded in liqo gateway

[cheina97]

Summary

Replaces the external wireguard-go binary approach with an in-process Go library integration. Previously, the gateway container image had to download Go at build time, clone the wireguard-go repository, compile the binary, and then exec it at runtime as a subprocess. This PR removes all of that in favour of importing golang.zx2c4.com/wireguard directly as a Go dependency and running the userspace WireGuard device inside the gateway process itself.

Changes

build/liqo/Dockerfile

Removes the multi-step wireguard build layer that:

• installed Go 1.22.4
• cloned git.zx2c4.com/wireguard-go at a pinned commit
• cross-compiled the binary for the target architecture
• cleaned up Go and git from the image

The gateway binary is now self-contained; no external wireguard-go binary is needed in the image.

pkg/gateway/tunnel/wireguard/netlink.go

Rewrites createLinkUserspace to use the wireguard-go library directly:

• Creates a TUN device via tun.CreateTUN
• Instantiates a device.Device with conn.NewDefaultBind() for the underlying socket
• Opens and listens on the UAPI socket so that wgctrl can still configure the interface (keys, peers, etc.) through the standard kernel-compatible API
• Serves UAPI connections in a goroutine, keeping the device running for the process lifetime
• Shuts down cleanly on context cancellation
• Respects the configured MTU (previously blocked by a TODO — it was not possible to pass MTU to the external binary)

go.mod / go.sum

• Promotes golang.zx2c4.com/wireguard from indirect to a direct dependency
• Adds golang.zx2c4.com/wintun as a new indirect dependency (required by the wireguard library on Windows)

.gitignore

Adds .claude directory to the ignore list.

Motivation

• Simpler image builds: no need to install Go, clone repos, or cross-compile inside Docker.
• Faster image builds: removes a heavyweight multi-step layer from the wireguard component image.
• MTU support: the embedded device honours the Options.MTU field, resolving the long-standing TODO in the previous implementation.
• Cleaner lifecycle: the device is now tied to the gateway's context rather than being an unrelated subprocess, making shutdown and error handling more robust.
• Fewer runtime dependencies: the container image no longer needs the wireguard-go binary present at /usr/bin/wireguard-go.

[adamjensenbot]

Hi @cheina97. Thanks for your PR!

I am @adamjensenbot.
You can interact with me issuing a slash command in the first line of a comment.
Currently, I understand the following commands:

• /rebase: Rebase this PR onto the master branch (You can add the option test=true to launch the tests
  when the rebase operation is completed)
• /merge: Merge this PR into the master branch
• /build Build Liqo components
• /test Launch the E2E and Unit tests
• /hold, /unhold Add/remove the hold label to prevent merging with /merge

Make sure this PR appears in the liqo changelog, adding one of the following labels:

• feat: 🚀 New Feature
• fix: 🐛 Bug Fix
• refactor: 🧹 Code Refactoring
• docs: 📝 Documentation
• style: 💄 Code Style
• perf: 🐎 Performance Improvement
• test: ✅ Tests
• chore: 🚚 Dependencies Management
• build: 📦 Builds Management
• ci: 👷 CI/CD
• revert: ⏪ Reverts Previous Changes

[cheina97]

/rebase test=true