Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: theprez1980 on December 06, 2024, 12:56:35 AM

Title: Wireguard Site to Site - Does it pass Layer 2 Traffic?
Post by: theprez1980 on December 06, 2024, 12:56:35 AM
Hey All -

I have sucessfully configured wireguard and have a site to site VPN tunnel going between two fiber networks with excellent latency (less than 5ms).

I'm trying to use clustering with Proxmox but I'm being told that the VPN I'm using (wireguard) must allow layer 2 traffic for the corosync service to work correctly.   Is that enabled by default or something I need to do?

The alternative suggestion that I don't understand is to pass one of the 192.168.0.X IPs to the far end of the connection using a VLAN so it appears to be on the same subnet as the rest of the nodes.   Not sure if OPNSense does that or not..

Any ideas?

Thanks
Title: Re: Wireguard Site to Site - Does it pass Layer 2 Traffic?
Post by: Monviech (Cedrik) on December 06, 2024, 06:42:53 AM
Wireguard is a Layer 3 VPN, so that question answers itself. You can combine it with vxlan for example.

https://docs.opnsense.org/manual/how-tos/vxlan_bridge.html
Title: Re: Wireguard Site to Site - Does it pass Layer 2 Traffic?
Post by: FraLem on December 07, 2024, 08:57:31 AM
OpenVPN, TAP mode, would be an option.

Hope this helps
Title: Re: Wireguard Site to Site - Does it pass Layer 2 Traffic?
Post by: Patrick M. Hausen on December 07, 2024, 11:22:50 AM
Layer 2 connections over WAN links are generally a bad idea.

https://blog.ipspace.net/2012/03/stretched-layer-2-subnets-server/
Title: Re: Wireguard Site to Site - Does it pass Layer 2 Traffic?
Post by: FrAllard on December 18, 2024, 11:34:43 AM
In a test environment I was able to make this work. Having Layer 2 through a wireguard tunnel using VxLan over Wireguard. This was a fun experiment. Some one was trying to connect two lan with the same subnet and have the two distant network share the subnet and reach either side without apparent routing. The goal was to be able to move VM from one site to the other without having to setup the VM network config after the move. The only down side was that the VM would still use the far side gateway after the move, but still working perfectly with added latency obviously.

Here is the great picture of the operation.
You need an interface to manage the vxlan and then that interface need to be bridged with the lan interface, so your lan will become that bridge in the end.

Code Select
LAN = bridge0 (vtnel1_lan, vxlan1)
vtnet1_lan = LAN interface
vxlan1 = vxlan interface that make this work
WAN = The WAN you know... lol
wg_net = the wireguard tunnel(https://i.imgur.com/yNY0wU3.png)

Here is the overview of the interfaces, this was done in a VM lab, so WAN IP is RFC1918 in this case.

(https://i.imgur.com/uBYgxCI.png)

The VxLan is setup as such, those IP are from the wireguard tunnel, the Wireguard Instance IP is in Source Address and the Wireguard Peer IP in Remote Address.

(https://i.imgur.com/j0Fvvrd.png)

Firewall rules for reference

(https://i.imgur.com/eEKShqV.png)

(https://i.imgur.com/WG99luo.png)

(https://i.imgur.com/WEPebQ8.png)

(https://i.imgur.com/NxAo2nj.png)

Wireguard config overview for reference

(https://i.imgur.com/tJ0CJzb.png)

(https://i.imgur.com/uRTiqJ5.png)
Text only | Text with Images