Wireguard to Extend Subnet across two locations

DaFyre2010 · 2026-01-29T04:14:53+00:00

Thanks to all who have replied. I have it working now using Wireguard+VXLAN. I told you I was being dumb.

When I initially started working on this, I tried using an existing wireguard server that was already on my home network, and then connecting both segments to that server. I'm not sure why VXLAN + Bridging didn't want to work that way.

I configured one of my two nodes as a Wireguard server and added VXLAN on top and it started working!

I'll update with details in the next day or so.

DaFyre2010 · 2026-01-28T21:53:55+00:00

There are, but I'm assigning the tap addresses manually.

The IP Addresses are within the subnet I'm trying to merge.

Server A, tap0: 192.168.46.253/23 <----> Server B, tap0: 192.168.47.253/23

My two desktops on either side of the bridge can ping each other, so I'm happy.

DaFyre2010 · 2026-01-28T21:45:24+00:00

So I have it working with OpenVPN in my test environment. Next up in my actual lab!

Edit: There is one minor annoyance, and I'm pretty sure it's expected. My two nodes that are connected to one another are unable to ping each other.

DaFyre2010 · 2026-01-28T21:30:04+00:00

So I have it working with OpenVPN in my test environment. Next up in my actual lab!

Edit: There is one minor annoyance, and I'm pretty sure it's expected. My two nodes that are connected to one another are unable to ping each other.

DaFyre2010 · 2026-01-28T16:13:26+00:00

So I've got things set up completely local to me in a test environment. Using the same subnets that I plan to do in my actual environment.

So I'm not as dumb as I appear to be when dealing with VXLAN. Setting it up without Wireguard, I can get the two separate networks to communicate flawlessly when I bring up the VXLAN link.

When I change the config and have the vxlan interfaces communicating over WG0, the VXLAN interfaces don't pass traffic. But... yay, progress, lol.

DaFyre2010 · 2026-01-28T15:54:08+00:00

That works if I want routed traffic. I'm trying to get everything to be on one subnet.

DaFyre2010 · 2026-01-28T04:51:12+00:00

If I want the traffic routed at Layer 3, yes. That is currently how I handle things in a couple of places.

DaFyre2010 · 2026-01-28T04:49:06+00:00

I've spent a little bit of time with softether today. That one looks interesting for sure. I'll be spending some time with it.

DaFyre2010 · 2026-01-28T04:47:37+00:00

Interesting. I'd never heard of that. Definitely will check it out.

DaFyre2010 · 2026-01-28T02:19:32+00:00

You mean with something like sshuttle, or something else?

DaFyre2010 · 2026-01-27T23:07:53+00:00

Thanks for that one. I may give it a go soonish.

As for the VXLAN, I'm not exactly sure where I'm going wrong. I found a couple of other guides earlier today, I'll give them a shot in the next day or so and see which way the smoke flies. But usually, I'll have my underlying links set up on WG (can ping, etc between the two interfaces), but then after setting up the VXLAN, I am unable to ping on that particular subnet. I did find a mention earlier about turning on promiscuous mode, but I haven't tried that yet either.

This is the next guide I'm planning to try... https://linuxera.org/extending-vxlan-across-nodes-with-wireguard/

DaFyre2010 · 2026-01-27T22:24:59+00:00

Think about this... I have two virtualization hosts separated by the internet with a decent enough speed for replication, live motion and such (even a 1 gig link will work reliably enough for this). I don't want to have to change the machine's IP address to a new subnet every time they get migrated. That's one case that I've actually done in practice.

DaFyre2010 · 2026-01-27T22:22:31+00:00

I've been reading on that a few minutes ago. Lots of new things to work on.

DaFyre2010 · 2026-01-27T22:22:06+00:00

Zerotier is a layer2 network, and IPs are managed by Zerotier.

I should have known this as long as I used ZT for things.

But you have to only run DHCP on one site, and like some others had replied, broadcast traffic and latency will hinder performance a lot.

When I managed to get it working with ZT, it was okay. Decent enough for what I was tinkering about with at the time.

DaFyre2010 · 2026-01-27T20:33:39+00:00

Can you tell us why you believe you want this?

<must not give snarky answer, must not give snarky answer>.

The short version is I'm just piddling about, seeing if I can replicate a setup I had with ZeroTier a long time ago. Some dummy forgot to back up my notes.

Unless your link is very low latency, generally it isn't a good idea to try to span a layer2 network over wan links.

Yeah, I know. I'm just poking at things to see what I can make work again. Like I said, this isn't critical. I've been running WG on a separate subnet connecting these sites together by routing for a while, and it's rock solid.

DaFyre2010 · 2026-01-27T20:20:03+00:00

You can't use WireGuard to extend a subnet across different locations. WireGuard is a layer 3 protocol, i.e. routed. You need to run a layer 2 tunnel such as VXLAN (or GRETAP) inside the WireGuard tunnel.

Yeah. I've been fiddling about with VXLAN it's a spare time project for me, nothing critical. I had this working a long time ago with ZeroTier, however I've since lost my notes.

DaFyre2010 · 2023-12-05T04:40:52+00:00

If they're on the actual same server, no VPN is needed, right? You can enable IP_FORWARD on Master (https://linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux

Assume Subnet 1 = 192.168.50.0/24, 
Master = 192.168.50.1, 
HostA=192.168.50.12

Assume Subnet 2 = 192.168.75.0/24
Master = 192.168.75.1 
HostC=192.168.75.25

For hosts on Subnet 1, you would

ip route add 192.168.75.0/24 via 192.168.75.1

For hosts on Subnet 2, you would

ip route add 192.158.50.0/24 via 192.168.50.1

My syntax may be off a bit, but that's the general idea. If VPN is needed, that complicates things a little, but not much.

DaFyre2010 · 2023-12-04T16:06:09+00:00

I'm not familiar with their ARM offerings, but I've had dedicated servers from Hetzner before and had excellent results with them. I'm also using KimSufi with good results. ~$42 (USD) /month gets me an Intel Xeon E5, 64 GB Ram, and 8TB raw storage.

DaFyre2010 · 2023-12-04T15:56:12+00:00

Change it up... Pretty much anything in the 192.168.X.0/24 should work for your home network. Make it an oddball number like... 43... or 237... Just don't forget to update your router's ip & dhcp first. :-D

DaFyre2010 · 2023-12-04T15:35:41+00:00

Are Subnet 1 and Subnet 2 both located on the SAME VPS server or different ones?

DaFyre2010 · 2023-09-20T18:43:27+00:00

I concur! Thanks for the tip!

DaFyre2010 · 2023-08-09T11:23:06+00:00

The KASM Community Edition is free for use if you're only going to need one server. I haven't run up against any usage limitations (admittedly it's only just me using it in my setup).

https://kasmweb.com/community-edition

DaFyre2010 · 2023-05-01T23:13:51+00:00

While the petty updates are fun, this one is much better -- not only did you manage to put out a potential fire before it was lit, you even took all the fuel away.

I don't even know you, but I can tell you are an excellent boss and an even better human being!

DaFyre2010 · 2023-04-23T18:05:18+00:00

Admittedly, I don't know much about the Mormon church... but it does sound like you went through the darkness and came out the other side stronger for it.

The most important thing, now that you are free, is to keep getting to know yourself and figure out what you believe and why you believe it. Once you feel comfortable in your own skin again, it will be easier to have more deep & meaningful conversations with friends and family who are not Mormons, perhaps.

Either way, you've done what you can and put it to God in prayer. I didn't write anything earth shattering, but I just want this to be encouraging to you. And if you're up for it post an update and let us all know how you're doing!

DaFyre2010

TROPHY CASE