Bridging wg and normal interfaces?

Bridging wg and normal interfaces?

[Rafał Grasman]

[-- Attachment #1: Type: text/plain, Size: 1184 bytes --]

Hello,

I would like to bridge my LAN and WireGuard interfaces so I can make a
site-to-site VPN with the gateway/router being at the other site.

But when using brctl to add wg0 to a bridge, the operation is not supported.

This is the setup I am aiming for:

Isolated VM virteth0 - preferably dhcp 172.16.0.2/24 from remote site
(gateway 172.16.0.1/24)

Switch VM - wg0 with 172.16.0.254/24 and eth0 with 192.168.1.254/24 (for
internet access through gw 192.168.1.1/24) and virteth0 (manual, no ip, no
dhcp), I want to bridge virteth0 and wg0.

Remote machine with wg0 172.16.0.1/24 and a public ip on eth0 (e.g.
11.22.33.44/32)

both virteth0's are connected together on the host machine.

Is this somehow possible with wireguard? As for now the Switch VM isn't a
switch, it acts as a router which does work but is not something I want
(and forces me to have a different ip on virteth0 on SwitchVM than wg0 has,
this forces me to make everything look like it came from SwitchVM instead
of the real addresses, because both the remote machine and Switch VM have
to act as routers, I want only 1 router in this setup - the remote machine).

Thanks in advance for your time and help :)

[-- Attachment #2: Type: text/html, Size: 1682 bytes --]

Re: Bridging wg and normal interfaces?

[Jason A. Donenfeld]

WireGuard is layer 3, not layer 2, so bridging is not what you want.

Instead, do ordinary IP routing between different subnets. As you
appear to already have different subnets, this shouldn't be a problem.

If you'd like to overlap within the same subnet, there's always proxy
arp, but I'd caution against that approach.

Lots of people run into this confusion about layer 2 vs layer 3. We
can probably walk you through getting things rolling for your
particular setup in #wireguard on Freenode, if you have IRC.

Jason

Re: Bridging wg and normal interfaces?

[Matthias Urlichs]

On 25.01.2018 12:08, Jason A. Donenfeld wrote:
> WireGuard is layer 3, not layer 2, so bridging is not what you want.

Though if you *do* want (or need) bridging, l2tp is your friend.

See for example https://remote-lab.net/linux-l2tp-ethernet-pseudowires

How to change this example to go through wireguard is left as an
exercise for the esteemed reader. ;-)

-- 
-- Matthias Urlichs

Fwd: Bridging wg and normal interfaces?

[Rafał Grasman]

[-- Attachment #1: Type: text/plain, Size: 3361 bytes --]

Ah alright thanks for the info, I finally figured out everything by myself
though I still have one small problem.

For reference, here's everything I have done:

<begin>

Isolated VM's DHCP: 172.16.1.0/16

Switch wg0: 172.16.0.2/30
Switch ens3: 172.16.1.1/16
Switch ens2: 192.168.2.xx/24 gw 192.168.2.254/24

Router wg0: 172.16.0.1/30
Router eth0: 35.224.54.65/32

# both machines
echo "deb http://deb.debian.org/debian/ unstable main" >
/etc/apt/sources.list.d/unstable-wireguard.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' >
/etc/apt/preferences.d/limit-unstable
apt update
apt-get install -y linux-headers-$(uname -r) wireguard

# both machines /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.all.proxy_arp = 1

# post up (ens3 of switch) and (eth0 of router) run (wg-quick up wg0)

####isc-dhcp-server (on switch ens3):
option domain-name "pcr";
option domain-name-servers 8.8.8.8, 8.8.4.4;

default-lease-time 600;
max-lease-time 7200;

ddns-update-style none;

authoritative;

subnet 172.16.0.0 netmask 255.255.0.0 {
  range 172.16.1.2 172.16.255.253;
  option routers 172.16.0.1;
}

############### lan vm /etc/wireguard/wg0.conf
[Interface]
PrivateKey = *************
ListenPort = 12345
Address = 172.16.0.2/30
PostUp = ip route add 172.16.0.1/32 via 172.16.0.2 dev wg0 ; route del
default gw 192.168.2.254 ; ip route add 192.168.2.254 dev ens2 ; route add
default gw 172.16.0.1 dev wg0 ; ip route add 35.224.54.65 via 192.168.2.254
; iptables -A FORWARD -i ens3 -o wg0 -j ACCEPT ; iptables -A FORWARD -i wg0
-o ens3 -j ACCEPT

[Peer]
PublicKey = *************
Endpoint = 35.224.54.65:12345
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 1


############### google vm /etc/wireguard/wg0.conf
[Interface]
PrivateKey = *************
ListenPort = 12345
Address = 172.16.0.1/30
PostUp = ip route add 172.16.0.2/32 via 172.16.0.1 dev wg0 ; ip route add
172.16.0.0/16 via 172.16.0.2 dev wg0 ; iptables -A INPUT -i eth0 -p tcp -m
tcp --dport 22 -j ACCEPT ; iptables -t nat -A POSTROUTING -o eth0 -j
MASQUERADE ; iptables -A FORWARD -i wg0 -j ACCEPT

[Peer]
PublicKey = *************
AllowedIPs = 0.0.0.0/0

<end>

Now the problem I face: whenever I run 'wg-quick up wg0' on a Google Cloud
Engine VM, I can't SSH to it anymore from the WAN side, but the weird thing
is, from the 'switch' I can ping the router just fine, they have a
connection, I can even SSH (sometimes not).

Now what's weird is, when I do all configuration steps with commands (ip ..
wg set .. blabla), and make it with those commands just like the config,
everything works fine. so I have a script that just does the commands.. but
wg-quick should work, everything is the same. Yet this happens.. anything I
can do to debug this behaviour?

On 25 January 2018 at 12:08, Jason A. Donenfeld <Jason@zx2c4.com> wrote:

> WireGuard is layer 3, not layer 2, so bridging is not what you want.
>
> Instead, do ordinary IP routing between different subnets. As you
> appear to already have different subnets, this shouldn't be a problem.
>
> If you'd like to overlap within the same subnet, there's always proxy
> arp, but I'd caution against that approach.
>
> Lots of people run into this confusion about layer 2 vs layer 3. We
> can probably walk you through getting things rolling for your
> particular setup in #wireguard on Freenode, if you have IRC.
>
> Jason
>

[-- Attachment #2: Type: text/html, Size: 5573 bytes --]