Creates VXLAN tunnels over wireguard
Wireguard does not allow you to route arbitrary traffic through a tunnel, let's say I have this setup
- Network A: 10.0.0.0/24
- Network B: 10.1.0.0/24
- Tunnel A<>B 10.3.0.0/24
You cannot make A and B communicate without having to NAT traffic, hence masking the original IPs.
To get around this you can create an overlay network on top of the wireguard tunnel.
Look at the config files in the examples directory
Then compile the binary
$ make
$ ./bin/dupont -what apply -config examples/host-1.hcl
# You can teardown the config by doing
$ ./bin/dupont -what delete -config examples/host-1.hclYou can write the configurations both in yaml and HCL, the HCL being the more readable one, as follows:
# Make sure we enable ip forward and co
ensureSysctl = true
# Our interfaces definitions
interfaces {
# Wireguard interfaces definitions
wireguard "wg-0" {
# First interface definition
address = "192.168.69.1/32"
port = 6969
key {
privateKey = "4CQWNQylWDWoZGgWDj58skAQuC84v1JXBKKqLTwcb3c="
# Note that specifying the public key here is a matter
# of convenience, you would not have that (prolly) on
# an actual deployment
publicKey = "bScGfgslFnmIEcuAdU8PQla6OtE29VntPOd3rOb5phs="
}
peer "wg-0" {
description = "Laptop"
key {
publicKey = "NYNj4shJcxucrhgNTwRg1sshlCT9cGKvClWEsycm/28="
}
allowedIPs = [
"192.168.69.2/32",
]
endpoint {
address = "10.99.1.200"
port = 6969
}
keepAlive = 5
}
}
vxlan "vx-0" {
address = "192.168.70.1/24"
vni = 60
parent = "wg-0"
neighbour {
address = "192.168.70.2"
}
}
}Which produces something like that:
$ ip address
[...]
40: wg-0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default
link/none
inet 192.168.69.2/24 brd 192.168.69.255 scope global wg-0
valid_lft forever preferred_lft forever
41: br-vx-0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1350 qdisc noqueue state UP group default
link/ether 8a:a5:6a:ec:81:e5 brd ff:ff:ff:ff:ff:ff
inet 192.168.70.2/24 brd 192.168.70.255 scope global br-vx-0
valid_lft forever preferred_lft forever
inet6 fe80::88a5:6aff:feec:81e5/64 scope link
valid_lft forever preferred_lft forever
42: vx-0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1350 qdisc noqueue master br-vx-0 state UNKNOWN group default
link/ether 8a:a5:6a:ec:81:e5 brd ff:ff:ff:ff:ff:ff
inet6 fe80::88a5:6aff:feec:81e5/64 scope link
valid_lft forever preferred_lft forever
You can also use dupont to generate the topology of the network for you. Create a file like so
name = "example topology"
network {
wireguard = "10.80.0.1/24"
overlay = "10.80.1.1/24"
vni = 42
wireguardPort = 6060
}
hosts = {
pi1 = "19.99.1.60"
pi2 = "19.99.1.61"
pi3 = "19.99.1.62"
pi4 = "19.99.1.63"
}Then run ./bin/dupont -what generate -config config/topology.hcl and it will generate one file per host in a folder
named after the topology ID of the said topology. It is basically a short hash of the topology name. You would have
then something like
$ tree 657861/
657861/
├── pi1.hcl
├── pi2.hcl
├── pi3.hcl
└── pi4.hcl
0 directories, 4 filesYou only have to copy those files on every host of the mesh, then apply the config and you are done !