Wireguard Site to Site - Does it pass Layer 2 Traffic?

Started by theprez1980, December 06, 2024, 12:56:35 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 06, 2024, 12:56:35 AM
Hey All -

I have sucessfully configured wireguard and have a site to site VPN tunnel going between two fiber networks with excellent latency (less than 5ms).

I'm trying to use clustering with Proxmox but I'm being told that the VPN I'm using (wireguard) must allow layer 2 traffic for the corosync service to work correctly.   Is that enabled by default or something I need to do?

The alternative suggestion that I don't understand is to pass one of the 192.168.0.X IPs to the far end of the connection using a VLAN so it appears to be on the same subnet as the rest of the nodes.   Not sure if OPNSense does that or not..

Any ideas?

Thanks
December 06, 2024, 06:42:53 AM #1
Wireguard is a Layer 3 VPN, so that question answers itself. You can combine it with vxlan for example.

https://docs.opnsense.org/manual/how-tos/vxlan_bridge.html
Hardware:
DEC740
December 07, 2024, 08:57:31 AM #2
OpenVPN, TAP mode, would be an option.

Hope this helps
December 07, 2024, 11:22:50 AM #3
Layer 2 connections over WAN links are generally a bad idea.

https://blog.ipspace.net/2012/03/stretched-layer-2-subnets-server/
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 18, 2024, 11:34:43 AM #4
In a test environment I was able to make this work. Having Layer 2 through a wireguard tunnel using VxLan over Wireguard. This was a fun experiment. Some one was trying to connect two lan with the same subnet and have the two distant network share the subnet and reach either side without apparent routing. The goal was to be able to move VM from one site to the other without having to setup the VM network config after the move. The only down side was that the VM would still use the far side gateway after the move, but still working perfectly with added latency obviously.

Here is the great picture of the operation.
You need an interface to manage the vxlan and then that interface need to be bridged with the lan interface, so your lan will become that bridge in the end.

Code Select
LAN = bridge0 (vtnel1_lan, vxlan1)
vtnet1_lan = LAN interface
vxlan1 = vxlan interface that make this work
WAN = The WAN you know... lol
wg_net = the wireguard tunnel

Here is the overview of the interfaces, this was done in a VM lab, so WAN IP is RFC1918 in this case.



The VxLan is setup as such, those IP are from the wireguard tunnel, the Wireguard Instance IP is in Source Address and the Wireguard Peer IP in Remote Address.



Firewall rules for reference









Wireguard config overview for reference



Print
Go Up Pages1
User actions