WireGuard, vxlan and Multicast?

sportfreund · June 24, 2019, 10:04am

Hey,
I'm having problems with broadcast/multicast behind two OpenWRT routers.

I have a wg tunnel between two OpenWRT routers. The tunnel works, I can ping each other tunnel IPs and have access to all other pcs when routing is enabled. However, broadcast / multicast did not work through the tunnel.

For that, I created a vxlan on top of the tunnel, since this is a layer 2 (I thought).
However, I can also access all other pcs using the vxlan layer, but still no multicast/broadcast.

What I did:
Router 1:
IP 10.0.0.1/24
Tunnel IP 100.64.0.1/24
vxlan 10.99.99.1/24

brctl addbr internet
brctl stp internet on
ip addr add 10.99.99.1/24 dev internet
ip link add router2 type vxlan remote 100.64.0.2 id 1 dstport 4789
ip link set up dev internet
ip link set up router2
brctl addif internet router2
ping 10.99.99.2

Router 2:
IP 10.0.1.1/24
Tunnel IP 100.64.0.2/24
vxlan 10.99.99.2/24

brctl addbr internet
brctl stp internet on
ip addr add 10.99.99.2/24 dev internet
ip link add router1 type vxlan remote 100.64.0.1 id 1 dstport 4789
ip link set up dev internet
ip link set up router1
brctl addif internet router1
ping 10.99.99.1

Any ideas on how to use multicast on vxlan? Thanks!

mm93 · June 24, 2019, 1:14pm

Hey, first I have to say that I don't use vxlan.
Make sure that there is no layer 2 firewall active!

Maybe you take a look at gretap over wireguard with excellent performance as overhead is low:
https://justus.berlin/2016/02/performance-of-tunneling-methods-in-openwrt/
Multicast and Broadcasts are working.

btw.: gretap is 38 byte overhead whereas vxlan has an overhead of 50 byte.

lleachii · June 24, 2019, 2:25pm

Perhaps someone else can help - I'm not familiar with vxlan. I know others in this forum have sought to run Layer 2 protocols over Wireguard too.

But, is this OpenWrt, if so can you provide the OpenWrt configs?

If these are the OpenWrt configs, the issue is that you haven't enumerated these devices in the UCI (necessary for proper config of firewall, etc.).

sportfreund · June 24, 2019, 10:22pm

Thanks, works perfect with gretap.

However, the ip link interfaces are gone after reboot. I helped myself with two litte scripts:

script1.sh

#!/bin/sh

while ! ping -c1 10.0.0.1 &>/dev/null
        do echo "Ping Fail - `date`"
done
echo "Host Found - `date`"
/root/script2.sh

and

script2.sh

#!/bin/sh
ip link add gretap1 type gretap local 10.0.1.1 remote 10.0.0.1
ip link set gretap1 up
brctl addif br-lan gretap1

and called the first script in /etc/rc.local

The first script tries to ping the second host. If not successful, it logs to /tmp
If successful, it calles a second script which then builds the gretap tunnel.

Again, thanks!

mm93 · June 25, 2019, 6:43am

You can use gretap in /etc/config/network and bridges as described here:
https://openwrt.org/docs/guide-user/network/tunneling_interface_protocols#protocol_gre_gre_tunnel_over_ipv4

You don't have to use any scripts then. It's a cleaner way of implementation I think.

sportfreund · June 25, 2019, 12:23pm

Thanks,
I tried, but the gretap tunnel only connects when the wireguard tunnel is already working. This takes up to one minute after reboot, which lets the gretap then fail. I have not found a better solution, maybe anyone else?

kofec · January 16, 2020, 11:11am

I found a solution using vxlan and maybe it will be useful for someone. And I have a question:
Is it possible to add vxlan configuration to /etc/config/network ?
Don't see it here: https://openwrt.org/docs/guide-user/network/tunneling_interface_protocols
But it was mentioned in release notes so maybe it is just not documented ?
Introduced support for configuring GRE, GRE-TAP, VETH, VTI, VXLAN

Initial assumptions: wireguard connection are working.
Node1 addresses: 10.4.4.1 (wireguard) and 192.168.111.1(new local lan)
Node1 addresses: 10.4.4.2 (wireguard) and 192.168.111.2(new local lan)

First I have to install

opkg install ip-bridge
opkg install ip-full

Then add new bridge:

/etc/config/network
config interface 'LanVPN'
        option proto 'static'
        option type 'bridge'
        option netmask '255.255.255.0'
        option ipaddr '192.168.111.2'

Add new VAP and assign to new bridge

/etc/config/wireless
config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option encryption 'psk2'
        option key 'password'
        option network 'LanVPN'
        option ssid 'WifiVPN'

After that I execute manually(How to add it to /etc/config/network ?):

ip link add vxlan0 type vxlan id 42 dstport 0
brctl addif br-LanVPN vxlan0
bridge fdb append to 00:00:00:00:00:00 dst 10.4.4.1 dev vxlan0

and ping using local address to both local sites is OK

kofec · January 16, 2020, 4:10pm

I play a little bit it this and raise an issue:
https://bugs.openwrt.org/index.php?do=details&task_id=2743

for vxlan in /etc/config/network:
node1:

config interface 'vxlan0'
        option proto 'vxlan'
        option port '8472'
        option vid '42'
        option ipaddr '10.4.4.1'
        option peeraddr '10.4.4.2'

node2:

config interface 'vxlan0'
        option proto 'vxlan'
        option port '8472'
        option vid '42'
        option ipaddr '10.4.4.2'
        option peeraddr '10.4.4.1'