Development discussion of WireGuard
 help / color / mirror / Atom feed
* wgX iface as slave to a bridge - Linux
       [not found] <0c8b4be5-ee9d-4f19-7179-ad08a28d0574.ref@yahoo.co.uk>
@ 2021-04-24 10:11 ` lejeczek
  2021-04-25  5:33   ` Mike O'Connor
                     ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: lejeczek @ 2021-04-24 10:11 UTC (permalink / raw)
  To: WireGuard mailing list

Hi guys.

Apologies, I'll bother you guys as I failed to find some 
better places to ask, I searched for forums etc. but failed.

Can wiregurard ifaces be enslaved by LInux bridge? I tried 
but it did not work for me. Similarly "mavclan" - 
would/should wireguard work that way?
What I've tried and failed was on CentOS stream with 
4.18.0-294.el8.x86_64.

many thanks, L.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: wgX iface as slave to a bridge - Linux
  2021-04-24 10:11 ` wgX iface as slave to a bridge - Linux lejeczek
@ 2021-04-25  5:33   ` Mike O'Connor
  2021-04-25 12:21   ` Chriztoffer Hansen
  2021-04-25 14:07   ` Roman Mamedov
  2 siblings, 0 replies; 6+ messages in thread
From: Mike O'Connor @ 2021-04-25  5:33 UTC (permalink / raw)
  To: lejeczek; +Cc: WireGuard mailing list

Hi L.

No wireguard is a layer 3 vpn, a bridge is layer2

Cheers
Mike

> On 25 Apr 2021, at 2:02 pm, lejeczek <peljasz@yahoo.co.uk> wrote:
> 
> Hi guys.
> 
> Apologies, I'll bother you guys as I failed to find some better places to ask, I searched for forums etc. but failed.
> 
> Can wiregurard ifaces be enslaved by LInux bridge? I tried but it did not work for me. Similarly "mavclan" - would/should wireguard work that way?
> What I've tried and failed was on CentOS stream with 4.18.0-294.el8.x86_64.
> 
> many thanks, L.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: wgX iface as slave to a bridge - Linux
  2021-04-24 10:11 ` wgX iface as slave to a bridge - Linux lejeczek
  2021-04-25  5:33   ` Mike O'Connor
@ 2021-04-25 12:21   ` Chriztoffer Hansen
  2021-04-25 13:13     ` lejeczek
  2021-04-25 14:07   ` Roman Mamedov
  2 siblings, 1 reply; 6+ messages in thread
From: Chriztoffer Hansen @ 2021-04-25 12:21 UTC (permalink / raw)
  To: lejeczek; +Cc: WireGuard mailing list

> Can wiregurard ifaces be enslaved by LInux bridge? I tried
> but it did not work for me. Similarly "mavclan" -
> would/should wireguard work that way?

Why would you want to enslave an L3-only capable interface to an L2 bridge?

What is your use case behind the question?

-- 
Chriztoffer


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: wgX iface as slave to a bridge - Linux
  2021-04-25 12:21   ` Chriztoffer Hansen
@ 2021-04-25 13:13     ` lejeczek
  2021-04-27 19:49       ` Ivan Labáth
  0 siblings, 1 reply; 6+ messages in thread
From: lejeczek @ 2021-04-25 13:13 UTC (permalink / raw)
  Cc: WireGuard mailing list



On 25/04/2021 13:21, Chriztoffer Hansen wrote:
>> Can wiregurard ifaces be enslaved by LInux bridge? I tried
>> but it did not work for me. Similarly "mavclan" -
>> would/should wireguard work that way?
> Why would you want to enslave an L3-only capable interface to an L2 bridge?
>
> What is your use case behind the question?
>
Containers. Simple (but also can be complex too as scales 
easily) case where containers would be glued together and be 
able to communicate across nodes/hosts via wireguard 
tunnel/link.
I'm looking at it from a 'regular' admin standpoint.
Then it'd be just one wiregurard host-to-host link which all 
container could utilize, as oppose to separate wireguard 
for/in each container.

many thanks, L.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: wgX iface as slave to a bridge - Linux
  2021-04-24 10:11 ` wgX iface as slave to a bridge - Linux lejeczek
  2021-04-25  5:33   ` Mike O'Connor
  2021-04-25 12:21   ` Chriztoffer Hansen
@ 2021-04-25 14:07   ` Roman Mamedov
  2 siblings, 0 replies; 6+ messages in thread
From: Roman Mamedov @ 2021-04-25 14:07 UTC (permalink / raw)
  To: lejeczek; +Cc: WireGuard mailing list

On Sat, 24 Apr 2021 11:11:50 +0100
lejeczek <peljasz@yahoo.co.uk> wrote:

> Hi guys.
> 
> Apologies, I'll bother you guys as I failed to find some 
> better places to ask, I searched for forums etc. but failed.
> 
> Can wiregurard ifaces be enslaved by LInux bridge? I tried 
> but it did not work for me. Similarly "mavclan" - 
> would/should wireguard work that way?
> What I've tried and failed was on CentOS stream with 
> 4.18.0-294.el8.x86_64.

As others have replied, it is an L3 interface, not L2 which can join bridges.
One solution that many use is to run an L2 tunnel over WireGuard, such as
VXLAN or GRETAP. But then you lose even more MTU compared to the standard 1500.

-- 
With respect,
Roman

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: wgX iface as slave to a bridge - Linux
  2021-04-25 13:13     ` lejeczek
@ 2021-04-27 19:49       ` Ivan Labáth
  0 siblings, 0 replies; 6+ messages in thread
From: Ivan Labáth @ 2021-04-27 19:49 UTC (permalink / raw)
  To: lejeczek; +Cc: WireGuard mailing list

Normally, you would use routing (L3) instead of bridging (L2).
Conceptually, the connectivity should work about the same,
as long as you configure your routes and enable forwarding.
Routes need to be configured on the host, not container-only,
but if assign a subnet to a bridge, devices can use addresses
from it without intervention on the host.

If you want roaming addresses, you could do live route
updates on your wireguard links and host routing table
for a native L3 solution. For a pre-existing automated
solution, you can use a some kind of routing service,
usually with multiple additional layers of encapsulation,
as others have mentioned.

Regards,
ivan


On Sun, Apr 25, 2021 at 02:13:24PM +0100, lejeczek wrote:
> On 25/04/2021 13:21, Chriztoffer Hansen wrote:
> > What is your use case behind the question?
> >
> Containers. Simple (but also can be complex too as scales 
> easily) case where containers would be glued together and be 
> able to communicate across nodes/hosts via wireguard 
> tunnel/link.
> I'm looking at it from a 'regular' admin standpoint.
> Then it'd be just one wiregurard host-to-host link which all 
> container could utilize, as oppose to separate wireguard 
> for/in each container.
> 
> many thanks, L.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-04-27 19:52 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <0c8b4be5-ee9d-4f19-7179-ad08a28d0574.ref@yahoo.co.uk>
2021-04-24 10:11 ` wgX iface as slave to a bridge - Linux lejeczek
2021-04-25  5:33   ` Mike O'Connor
2021-04-25 12:21   ` Chriztoffer Hansen
2021-04-25 13:13     ` lejeczek
2021-04-27 19:49       ` Ivan Labáth
2021-04-25 14:07   ` Roman Mamedov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).