Extend VLAN across Wireguard

Started by drum7, October 21, 2021, 01:53:38 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 21, 2021, 01:53:38 PM
Hello -

I'm trying to extend a VLAN across a WG tunnel. I'm looking for a reality check from someone as I've never done this before.

In SiteA, I have an OPNsense appliance with the VLAN that I want to extend and a WG tunnel established to SiteB (which just has a linux host as my WG client / termination point).

At a high level, what I think I need to do is:

On the OPNsense Side - SiteA

  • Create a bridge interface and associate the VLAN I want to extend with it
  • Create a VXLAN interface with a common-to-both-sides VNI (let's say 9) with a source of  my OPNsense WG interface and a remote of SiteB's WG interface
  • Create interface assignments for the VXLAN and Bridge
  • Associate the VXLAN to the Bridge

On the Linux Host / WG Client Side - Site B

  • Create the VLAN, VXLAN (with the same VNI and "opposite" source / destination), and Bridge
  • Associate the VLAN and VXLAN to the Bridge

Am I...missing something? If it helps, I'm trying to follow a generic blog article I found here - https://www.tallwireless.com/posts/2020/03/21/tunnels-tunnels-tunnels/.

Thanks for the help all...

October 21, 2021, 08:31:58 PM #1
Not sure if this works as WG heavily use bash scripting and routing. Did you test this in a Lab?
October 21, 2021, 08:53:22 PM #2
I have not. I'm just making sure the logic is semi-sound before I attempt it.
October 21, 2021, 09:31:39 PM #3
Don't extend layer 2 broadcast domains across wide area links. Simply don't.

https://blog.ipspace.net/2012/03/stretched-layer-2-subnets-server.html

Lots more of fantastic content at Ivan's site.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 21, 2021, 10:58:32 PM #4
Quote from: pmhausen on October 21, 2021, 09:31:39 PM
Don't extend layer 2 broadcast domains across wide area links. Simply don't.

https://blog.ipspace.net/2012/03/stretched-layer-2-subnets-server.html

Lots more of fantastic content at Ivan's site.

Thanks for the link, but I'm still going to try. Perf isn't my concern at the moment.
December 07, 2021, 02:52:50 PM #5
hey! i'm running in the same way but my current setup failed. i have setup exactly the same stack (VXLAN over wireguard) but i can not get any traffic over the VXLAN.

Code Select

# tcpdump -i wgInterface
...
14:33:42.941322 IP 10.92.0.10.63384 > 10.92.0.1.4789: VXLAN, flags [I] (0x08), vni 100
ARP, Request who-has 10.92.100.1 tell 10.92.100.10, length 28
...


a tcpdump on wireguard interface shown an arp-request but never answered. on the vxlan interface itself there is no traffic to see at all :( at GUI on "Interfaces -> Diagniostics -> Netstat -> (Tab) Interfaces -> vxlan0 / AA:BB:CC:11:22:33 -> received-errors" this value is still counting up if i send PINGs from the other side to this endpoint.

so i do not know why is there an error, maybe "arp suppressing" ?
@drum7 do you have any success with vxlan over wireguard? my first test is without a bridge, just trying to ping the vxlan interface itself. never mind, with or without bridge, there is same problem :|

any hints for me?
volker.
December 07, 2021, 03:13:46 PM #6
Shouldnt you see the encapsulated traffic instead of arp?
December 07, 2021, 03:18:46 PM #7
checkout attachment, this is a complete tcpdump from wg interface if i try to ping the vxlan interface. the vxlan interface has no traffic at all :(???
December 08, 2021, 08:57:38 AM #8
the problem is only happens if the VXLAN routed over wireguard, an direkt p2p without wireguard is working like a charm.
Print
Go Up Pages1
User actions