OPNsense Forum

English Forums => Virtual private networks => Topic started by: drum7 on October 21, 2021, 01:53:38 pm

Title: Extend VLAN across Wireguard
Post by: drum7 on October 21, 2021, 01:53:38 pm
Hello -

I'm trying to extend a VLAN across a WG tunnel. I'm looking for a reality check from someone as I've never done this before.

In SiteA, I have an OPNsense appliance with the VLAN that I want to extend and a WG tunnel established to SiteB (which just has a linux host as my WG client / termination point).

At a high level, what I think I need to do is:

On the OPNsense Side - SiteA

On the Linux Host / WG Client Side - Site B

Am I...missing something? If it helps, I'm trying to follow a generic blog article I found here - https://www.tallwireless.com/posts/2020/03/21/tunnels-tunnels-tunnels/ (https://www.tallwireless.com/posts/2020/03/21/tunnels-tunnels-tunnels/).

Thanks for the help all...

Title: Re: Extend VLAN across Wireguard
Post by: mimugmail on October 21, 2021, 08:31:58 pm
Not sure if this works as WG heavily use bash scripting and routing. Did you test this in a Lab?
Title: Re: Extend VLAN across Wireguard
Post by: drum7 on October 21, 2021, 08:53:22 pm
I have not. I'm just making sure the logic is semi-sound before I attempt it.
Title: Re: Extend VLAN across Wireguard
Post by: Patrick M. Hausen on October 21, 2021, 09:31:39 pm
Don't extend layer 2 broadcast domains across wide area links. Simply don't.

https://blog.ipspace.net/2012/03/stretched-layer-2-subnets-server.html

Lots more of fantastic content at Ivan's site.
Title: Re: Extend VLAN across Wireguard
Post by: drum7 on October 21, 2021, 10:58:32 pm
Don't extend layer 2 broadcast domains across wide area links. Simply don't.

https://blog.ipspace.net/2012/03/stretched-layer-2-subnets-server.html

Lots more of fantastic content at Ivan's site.

Thanks for the link, but I'm still going to try. Perf isn't my concern at the moment.
Title: Re: Extend VLAN across Wireguard
Post by: skydiablo on December 07, 2021, 02:52:50 pm
hey! i'm running in the same way but my current setup failed. i have setup exactly the same stack (VXLAN over wireguard) but i can not get any traffic over the VXLAN.

Code: [Select]
# tcpdump -i wgInterface
...
14:33:42.941322 IP 10.92.0.10.63384 > 10.92.0.1.4789: VXLAN, flags [I] (0x08), vni 100
ARP, Request who-has 10.92.100.1 tell 10.92.100.10, length 28
...

a tcpdump on wireguard interface shown an arp-request but never answered. on the vxlan interface itself there is no traffic to see at all :( at GUI on "Interfaces -> Diagniostics -> Netstat -> (Tab) Interfaces -> vxlan0 / AA:BB:CC:11:22:33 -> received-errors" this value is still counting up if i send PINGs from the other side to this endpoint.

so i do not know why is there an error, maybe "arp suppressing" ?
@drum7 do you have any success with vxlan over wireguard? my first test is without a bridge, just trying to ping the vxlan interface itself. never mind, with or without bridge, there is same problem :|

any hints for me?
volker.
Title: Re: Extend VLAN across Wireguard
Post by: mimugmail on December 07, 2021, 03:13:46 pm
Shouldnt you see the encapsulated traffic instead of arp?
Title: Re: Extend VLAN across Wireguard
Post by: skydiablo on December 07, 2021, 03:18:46 pm
checkout attachment, this is a complete tcpdump from wg interface if i try to ping the vxlan interface. the vxlan interface has no traffic at all :(???
Title: Re: Extend VLAN across Wireguard
Post by: skydiablo on December 08, 2021, 08:57:38 am
the problem is only happens if the VXLAN routed over wireguard, an direkt p2p without wireguard is working like a charm.