VXLAN inside WireGuard tunnel

RouterOS General
1

Hello!
The goal is to have PC1 and PC2 in the same Layer 2 network. Is the current configuration on the right track, or should I approach it differently?
CHR-1

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
/interface wireguard
add listen-port=55112 mtu=1420 name=wireguard1
/ip pool
add name=dhcp_pool0 ranges=10.10.0.2-10.10.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/interface vxlan
add mac-address=42:B7:95:2D:09:82 name=vxlan1 port=8472 vni=1 vrf=main vteps-ip-version=ipv4
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=vxlan1
add bridge=bridge1 interface=ether8
/interface vxlan vteps
add interface=vxlan1 remote-ip=10.0.0.2
/interface wireguard peers
add allowed-address=10.0.0.2/24 interface=wireguard1 name=CHR-2 public-key="4pcqyLVY1XcUNIM0Aq2bDSCXGCj9PTL44xlW2HQq2xQ="
/ip address
add address=10.10.0.1/24 interface=bridge1 network=10.10.0.0
add address=10.0.0.1/24 interface=wireguard1 network=10.0.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.10.0.0/24 gateway=10.10.0.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/system identity
set name=CHR-1
/system note
set show-at-login=no

CHR-2

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
/interface wireguard
add listen-port=55112 mtu=1420 name=wireguard1
/interface vxlan
add mac-address=CA:E3:A1:BF:B3:8B name=vxlan1 port=8472 vni=1 vrf=main vteps-ip-version=ipv4
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=vxlan1
add bridge=bridge1 interface=ether8
/interface vxlan vteps
add interface=vxlan1 remote-ip=10.0.0.1
/interface wireguard peers
add allowed-address=10.0.0.1/24 endpoint-address=192.168.1.46 endpoint-port=55112 interface=wireguard1 name=CHR-1 public-key="qniuz0qz6R9fCE+B78v6sbwYk/hEQjr3bkcJpMNaj3A="
/ip address
add address=10.0.0.2/24 interface=wireguard1 network=10.0.0.0
/ip dhcp-client
add interface=ether1
add interface=bridge1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/system identity
set name=CHR-2
/system note
set show-at-login=no

CHR.png

2

In general yes, in detail not so much. I mean, I could not find any important bit to miss in the configuration, but the actual behavior may not fulfil your expectations.

The overhead of Wireguard takes 80 bytes (hence MTU 1420 if the path between the peers has MTU 1500) and the overhead of VXLAN takes another 50 bytes (14 of which are the Ethernet header of the payload frame), so you end up with MTU of 1370 bytes (or 1384 bytes of L2MTU) on the VXLAN interface. The bridge IP interface inherits that, but the PCs connected to Ethernet ports of the bridge need to be configured accordingly as there is no mechanism that would convey the information about the MTU value across the Ethernet cable. If the PCs are also virtual, it is enough to set the MTU information on the virtual NICs, otherwise you have to configure it on the PCs themselves.

You can also manually force the MTU of the VXLAN interface to 1500 if you don’t mind that the VXLAN packets will get fragmented if the payload frames are larger than 1384 bytes. In a LAN like on your network diagram, fragmentation is not an issue, but I have seen non-first fragments to get dropped even in datacenters, let alone on links that pass through Internet. And, of course, the packet rate increases as the fragments are mostly handled as separate packets.

The only way I know to keep the L2MTU at 1514 (or even more) bytes and avoid fragmentation of the transport packets is to use L2TP in MLPPP mode, which uses multiple transport packets to transport large payload ones, i.e. it replaces fragmentation on IP level by “splitting” on L2TP level. Whether you use Wireguard or IPsec to encrypt the L2TP transport packets is up to you, in any case, it’s yet another layer of encapsulation.

3

To put two PCs in the same L2 space did you consider trying zerotier?

4

Thank you for the very detailed answer. I will look into this approach.


This option is not off the table, but I thought I would try it without a third party.

5

Since I know squat about vxlan, I would have solved it with wireguard to securely connect the two subnets (using fw rules).
I would never vxlan over the internet directly. I suppose if there was some specific function requiring layer2, then one could vxlan over wireguard.