标签：24 Layer2 bridge ip There 192.168 WireGuard link 10.15

-----------------------
 notes.superlogical.ch
-----------------------

Home. Pages. Posts. Sticky notes.

There is no Layer2 option in WireGuard

Last update: 07.06.2020 21:20

As stated in the first sentence of “WireGuard: NextGeneration Kernel Network Tunnel” [1]

WireGuard is a secure network tunnel, operating at layer 3, implemented...

All questions on StackExchange regarding WireGuard and bridging, broadcast traffic are answered pretty quickly: “It’s layer 3”. Period… Except maybe in the future multicast and IPv6 link local addresses, eventually.

Over the past years, I migrated lots of VPNs to WireGuard. Since it has found its way into the Linux Kernel (Premier Commit) it has become my first option to choose, when it comes to VPN.

Now in 99.5% of the cases, implementing VPN at layer 3 is the required solution. In .5% there is no way around at least a bit layer 2. Thinking of OpenVPN TAP interfaces I was looking for a way to close the gap. A good friend of mine, \@kpanic, a pretty busy guy in the Freifunk FF3L Community gave me a good hint: “Ever thought about GRETAP?”.

GRE stands for Generic Routing Encapsulation and is defined in RFC 2784. GRE interfaces operate on layer 3. In Linux there is a thing called “gretap”. It’s a GRE tunnel based TAP interface. And because it is a TAP, it simulates a link layer device and therefore carrying Ethernet frames. I’ve not found good documentation about, but in the kernel source.

Compared to GRE, in GRETAP there is a “Inner Ethernet Header”. Keep in mind, this all adds up on our network overhead.

The case

Two sites, both with a private //24 IPv4 network, both Debian 10 boxes, installed on a APU2 based router with three gigabit ethernet NICs installed.

The plan is, that the third NIC (enp3s0) on router A gets bridged transparently to enp2s0 on router B. Giving anything plugged to enp3s0 on router A the full Layer 2 experience as directly connected to the Switch on Site B

On both sites: A WAN/Cable modem on enp1s0, network devices firewalled, behind a switch on enp2s0. Let’s call them Router A & B / Site A & B.

• Site Network A: 192.168.178.0/24
• Site Network B: 192.168.92.0/24

WireGuard Config on Router A

1
2
3
4
5
6
7
8
9

[Interface]
PrivateKey = PrivateKeyRouterA
Address = 10.15.14.2/24

[Peer]
PublicKey = PublicKeyRouterB
AllowedIPs = 192.168.92.0/24,10.15.14.0/24
Endpoint = MyRemoteServer.com:4900
PersistentKeepalive = 15

WireguardConfig on Router B

1
2
3
4
5
6
7
8
9

[Interface]
Address = 10.15.14.1/24
ListenPort = 4900
PrivateKey = PrivatekeyRouterB

[Peer]
# APU2(Static Route)
PublicKey = PublicKeyRouterA
AllowedIPs = 10.15.14.2/32,192.168.178.0/24

How I think it could be solved

There are some prerequisites to be in place to make the bridge setup work

Ensured, IPv6 forwarding is enabled on both sites (This should be given on a router)

1
2

-> # cat /etc/sysctl.conf | grep net.ipv4.ip_forw
net.ipv4.ip_forward=1

bridge-utils installed on both sites

1

-> #  apt install bridge-utils

MSS clamping on both sides in FORWARD (This is the quick** method of getting MSS right)

1

-> #  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu;

and br_netfilter gets loaded on boot. If not, your iptables forward rules will not work for the resulting bridge.

1
2

-> # cat /etc/modules-load.d/brnetfilter.conf 
br_netfilter

Time to create a bridge interface on both sides.

Router A: In /etc/network/interfaces we create a bridge and connect enp3s0 to it. There is no IP configuration on enp3s0 nor on the bridge.

1
2
3
4
5
6
7

allow-hotplug enp3s0
iface enp3s0 inet manual 

auto br0
# Bridge setup
iface br0 inet manual
    bridge_ports enp3s0

Router B: In /etc/network/interfaces we create a bridge and connect enp2s0 to it on boot. The bridge is configured to static internal network 192.168.92.1⁄24 IP on enp2s0 the address set to manual with no address

1
2
3
4
5
6
7
8

allow-hotplug enp2s0
iface enp2s0 inet manual

auto br0
iface br0 inet static
    address 192.168.92.1
    netmask 255.255.255.0
    bridge_ports enp2s0

Append PostUp & Down scripts on wg0.conf at Router A

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

[Interface]
PrivateKey = PrivateKeyRouterA
Address = 10.15.14.2/24
PostUp = ip link add name gretap1 type gretap local 192.168.178.1 remote 192.168.92.1 
PostUp = ip link set gretap1 up
PostUp = ip link set gretap1 master br0
PostDown = ip link del gretap1

[Peer]
# SiteB (Static Route)
PublicKey = PublicKeyRouterB
AllowedIPs = 192.168.92.0/24,10.15.14.0/24
Endpoint = MyRemoteServer.com:4900
PersistentKeepalive = 15

Append PostUp & Down scripts on wg0.conf at Router B

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

[Interface]
Address = 10.15.14.1/24
ListenPort = 4900
PrivateKey = PrivatekeyRouterB
PostUp = ip link add name gretap1 type gretap local 192.168.92.1 remote 192.168.178.1 
PostUp = ip link set gretap1 up
PostUp = ip link set gretap1 master br0
PostDown = ip link del gretap1
    
[Peer]
# SiteA (Static Route)
PublicKey = PublicKeyRouterA
AllowedIPs = 10.15.14.2/32,192.168.178.0/24

Sources

• Title image: https://www.wireguard.com/img/wireguard.svg
• [1]Paper “WireGuard: NextGeneration Kernel Network Tunnel” Jason A. Donenfeld, https://www.wireguard.com/papers/wireguard.pdf

© 2020 notes.superlogical.ch. GitLab. Github. Twitter. Impressum & Datenschutzerklärung.

标签：24,Layer2,bridge,ip,There,192.168,WireGuard,link,10.15
来源： https://blog.csdn.net/youxiaojie1979/article/details/109916237

本站声明： 1. iCode9 技术分享网（下文简称本站）提供的所有内容，仅供技术学习、探讨和分享；
2. 关于本站的所有留言、评论、转载及引用，纯属内容发起人的个人观点，与本站观点和立场无关；
3. 关于本站的所有言论和文字，纯属内容发起人的个人观点，与本站观点和立场无关；
4. 本站文章均是网友提供，不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属；如您发现该文章侵犯了您的权益，可联系我们第一时间进行删除；
5. 本站为非盈利性的个人网站，所有内容不会用来进行牟利，也不会利用任何形式的广告来间接获益，纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。