惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Simon Willison's Weblog
Simon Willison's Weblog
G
Google Developers Blog
Spread Privacy
Spread Privacy
I
InfoQ
V
V2EX
S
Schneier on Security
小众软件
小众软件
C
CERT Recently Published Vulnerability Notes
博客园 - 聂微东
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Stack Overflow Blog
Stack Overflow Blog
T
Threat Research - Cisco Blogs
L
Lohrmann on Cybersecurity
Recent Announcements
Recent Announcements
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Attack and Defense Labs
Attack and Defense Labs
云风的 BLOG
云风的 BLOG
The Hacker News
The Hacker News
S
SegmentFault 最新的问题
C
Cybersecurity and Infrastructure Security Agency CISA
NISL@THU
NISL@THU
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
GbyAI
GbyAI
Latest news
Latest news
S
Secure Thoughts
Project Zero
Project Zero
MongoDB | Blog
MongoDB | Blog
I
Intezer
Security Latest
Security Latest
Apple Machine Learning Research
Apple Machine Learning Research
Vercel News
Vercel News
N
Netflix TechBlog - Medium
V2EX - 技术
V2EX - 技术
量子位
T
Threatpost
T
The Blog of Author Tim Ferriss
Y
Y Combinator Blog
T
Tor Project blog
A
Arctic Wolf
Microsoft Security Blog
Microsoft Security Blog
T
The Exploit Database - CXSecurity.com
大猫的无限游戏
大猫的无限游戏
T
Tailwind CSS Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
C
Check Point Blog
博客园 - Franky
Google DeepMind News
Google DeepMind News
The Register - Security
The Register - Security
The GitHub Blog
The GitHub Blog
L
LINUX DO - 热门话题

IT Notes - vxlan

IT Notes
IT Notes
Stefano Marinelli · 2024-07-15 · via IT Notes - vxlan

Introduction

In today's interconnected world, system administrators often face the challenge of managing services across multiple Virtual Private Servers (VPS). This article describes an advanced networking setup that allows you to bridge networks between two VPS instances using Wireguard and VXLAN on FreeBSD. This configuration is particularly useful when you need to distribute services across different providers or when you want to leverage the strengths of multiple hosting environments.

Background

At BSD Cafe, we utilize various VPS instances to provide our services. The two main ones are:

  • A publicly accessible VPS that hosts the reverse proxy and all firewall rules for packet routing.
  • A larger VPS on a physical host I own, which is not directly exposed to the internet and doesn't have a public IP address.

Most of the jails hosting BSD Cafe services are distributed between these two VPS instances. Occasionally, I need to move services between them for performance reasons or to manage updates efficiently.

To facilitate this flexibility, I've always maintained a bridge on each VPS. Initially, I used Zerotier to establish a connection between these bridges, allowing them to communicate as if they were part of a single, large network.

The New Setup: Wireguard and VXLAN

While the Zerotier setup worked, I decided to switch to a more streamlined solution using Wireguard and VXLAN. Here's why:

  • Performance: Wireguard offers excellent performance with low overhead.
  • Simplicity: The configuration is straightforward and easy to maintain.
  • Security: Wireguard provides strong, modern cryptography.

I had already prepared a Wireguard connection between the two servers from the beginning. Since only one of the servers is publicly accessible, I set up one to only accept connections and the other to connect directly to the public IP of the first, with a 20-second keepalive (which is generally not necessary due to the high traffic between the jails).

To complete the setup, I added two VXLAN interfaces on the VPS instances, added these interfaces to the local bridges, and immediately, packets started flowing between the networks.

Step-by-Step Implementation

Follow these instructions to create a bridge between two different networks using Wireguard and VXLAN on FreeBSD. While I use this setup to connect jails at BSD Cafe, you can use it for various purposes, such as bridging different VM (bhyve) instances across providers.

Prerequisites

Wireguard is now an integral part of FreeBSD, so you no longer need to compile a module or use the Go version. However, we'll use the "wireguard-tools" scripts as they provide the useful "wg-quick" command.

Start by installing the wireguard-tools package on both servers:

pkg install wireguard-tools

Configuration

Server 1 (Public IP)

  • Generate the Wireguard keys:
wg genkey | tee /dev/stderr | wg pubkey | grep --label PUBLIC -H .

This command will output a private key and a public key. Note down the public key as you'll need it to configure the client.

Let's also add a PSK; it's optional but will increase the security of the entire setup.

wg genpsk
  • Create a new file /usr/local/etc/wireguard/wg0.conf:
[Interface]
## Default port is 51820 - feel free to change it
PrivateKey = <the private key from the previous command>
ListenPort = 43671
Address = 10.77.0.1/24

PostUp = /sbin/ifconfig vxlan create vxlanid 42 vxlanlocal 10.77.0.1 vxlanremote 10.77.0.2 inet 10.77.1.1/24
PostUp = /sbin/ifconfig bridge0 addm vxlan0 up
PostDown = /sbin/ifconfig vxlan0 destroy

[Peer]
PublicKey = <the other peer's public key>
#If publicly exposed, you can specify the peer ip address/port
#Endpoint = <public_ip>:<port>
AllowedIPs = 10.77.0.2/32
PresharedKey = <the PSK from the previous command>
  • Modify /etc/rc.conf and add:
wireguard_interfaces="wg0"
wireguard_enable="YES"
  • Start Wireguard and the VXLAN endpoint:
wg-quick up wg0

Server 2 (Behind NAT)

  • Generate the Wireguard keys as before.

  • Create /usr/local/etc/wireguard/wg0.conf:

[Interface]
PrivateKey = <the private key from the previous command>
Address = 10.77.0.2/24

PostUp = /sbin/ifconfig vxlan create vxlanid 42 vxlanlocal 10.77.0.2 vxlanremote 10.77.0.1 inet 10.77.1.2/24
PostUp = /sbin/ifconfig bridge0 addm vxlan0 up
PostDown = /sbin/ifconfig vxlan0 destroy

[Peer]
PublicKey = <the other peer's public key>
Endpoint = <public_ip>:<port>
AllowedIPs = 10.77.0.1/32
PresharedKey = <the PSK from the previous command>
PersistentKeepalive = 20
  • Modify /etc/rc.conf as before.

  • Start Wireguard and the VXLAN endpoint:

wg-quick up wg0

Verifying the Connection

To check if the connection is established, run the wg command on either host. This will show you the connection status, the last handshake, and the data transferred.

You can also try pinging the other host's Wireguard and VXLan interface IP address (in this example, 10.77.0.1 or 10.77.0.2 and 10.77.1.1 or 10.77.1.2).

Conclusion

This setup allows the two VXLAN interfaces, inserted into the local bridge, to enable packet transit through Wireguard. This facilitates free passage between the two hosts, effectively creating a single, unified network across your VPS instances.

This configuration is particularly useful for: - Distributing services across different providers - Leveraging both public-facing and private VPS instances - Creating flexible, scalable network architectures

By using Wireguard and VXLAN, you get the benefits of strong encryption, high performance, and the ability to create complex network topologies across physically separate servers.

Remember to always keep your systems updated and regularly review your network configuration to ensure it meets your evolving needs and security requirements.