wireguard - ? - puzzle

Sean Mooney smooney at redhat.com
Mon Apr 4 12:53:04 UTC 2022

On Mon, 2022-04-04 at 09:04 +0100, lejeczek wrote:
> Hi guys.
> Has anybody solved that puzzle?
> Or perhaps it's not a puzzle at all, I'd imagine might be 
> trivial to experts.
> First I thought - and only thought so far thus asking here - 
> 'allowed_address_pairs' I'd need but that obviously does not 
> do anything as 'wireguard' creates its own ifaces.
> So.. how do you get your 'wireguard' in openstack to route 
> (no NAT) to instances' local network(s)?
i have not done this but i suspect you would need to enable the subnet used by wireguard
in the allowed adres pairs as you said on the instnace that is hosting the wireguard endpoint.
then set a staic route in the neutron router so other instance knew how to acess it.
openstack router set --route destination=<wireguard subnet>,gateway=<host vm ip> <router>
you might also need to confiure some sequirty group rules but im not certin on the last point.

if you run wireguard in a vm it is basicaly becomeing a router which is not something that  we typicaly
expect vms to do but other service like octavia do this when they deploy loadblancers and the vpn as a service exteion similar
did this in the past so this should be possibel with the exising api.
> many thanks, L.

More information about the openstack-discuss mailing list