On Mon, 2022-04-04 at 09:04 +0100, lejeczek wrote:
Hi guys.
Has anybody solved that puzzle? Or perhaps it's not a puzzle at all, I'd imagine might be trivial to experts.
First I thought - and only thought so far thus asking here - 'allowed_address_pairs' I'd need but that obviously does not do anything as 'wireguard' creates its own ifaces. So.. how do you get your 'wireguard' in openstack to route (no NAT) to instances' local network(s)?
i have not done this but i suspect you would need to enable the subnet used by wireguard in the allowed adres pairs as you said on the instnace that is hosting the wireguard endpoint. then set a staic route in the neutron router so other instance knew how to acess it. openstack router set --route destination=<wireguard subnet>,gateway=<host vm ip> <router> you might also need to confiure some sequirty group rules but im not certin on the last point.
if you run wireguard in a vm it is basicaly becomeing a router which is not something that we typicaly expect vms to do but other service like octavia do this when they deploy loadblancers and the vpn as a service exteion similar did this in the past so this should be possibel with the exising api.
many thanks, L.