From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: Re: [PATCH pve-docs v5 29/29] sdn: fabrics: add section about wireguard
Date: Tue, 12 May 2026 19:38:03 +0200 [thread overview]
Message-ID: <df2bd2c0-b1bf-4883-a1eb-f14744e63860@proxmox.com> (raw)
In-Reply-To: <20260512173145.596958-30-s.hanreich@proxmox.com>
On 5/12/26 7:30 PM, Stefan Hanreich wrote:
> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
> ---
> pvesdn.adoc | 100 ++++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 100 insertions(+)
>
> diff --git a/pvesdn.adoc b/pvesdn.adoc
> index d20a0eb..1e83495 100644
> --- a/pvesdn.adoc
> +++ b/pvesdn.adoc
> @@ -769,6 +769,106 @@ NOTE: The dummy interface will automatically be configured as `passive`. Every
> interface which doesn't have an ip-address configured will be treated as a
> `point-to-point` link.
>
> +[[pvesdn_wireguard]]
> +WireGuard
> +~~~~~~~~~
> +
> +WireGuard can be used for establishing a VPN between Proxmox VE nodes and / or
> +external nodes. It does not provide dynamic routing by itself, but can be used
> +in conjunction with dynamic routing protocols operating on layer 3 and above
> +(OSPF, BGP) to provide a dynamically routed, encrypted transport for e.g. EVPN
> +or VXLAN.
> +
> +NOTE: In order to use WireGuard, the package `wireguard-tools` needs to be
> +installed.
> +
> +Configuration options:
> +
> +[[pvesdn_wireguard_fabric]]
> +On the Fabric
> +^^^^^^^^^^^^^
> +
> +Name:: This is the name of the WireGuard fabric and can be at most 8 characters
> +long.
> +
> +Persistent Keepalive:: If this is set, then WireGuard will send an empty
> +authenticated packet every N seconds to each configured peer. This can help
> +keeping connections alive when using stateful firewalls or NAT.
> +
> +[[pvesdn_wireguard_node]]
> +On the Node
> +^^^^^^^^^^^
> +
> +There are two types of nodes: internal and external. Internal nodes are Proxmox
> +VE nodes, external nodes everything else. They are essentially reusable peer
> +definitions that can be used across the whole cluster.
> +
> +.Internal
> +
> +Endpoint:: This is the IP or hostname that other Proxmox VE nodes should use for
> +connecting to this Proxmox VE node. This is used as the endpoint when
> +configuring this Proxmox VE node as a peer.
> +
> +Allowed IPs:: A comma-separated list of IP addresses. When selecting this node
> +as a peer on other nodes, then this is used as the `AllowedIPs` setting in the
> +WireGuard peer configuration. They specify the addresses that are allowed for
> +incoming and outgoing traffic from/to this node.
> +
> +.External
> +
> +Name:: The name of the external node.
> +
> +Public Key:: The public key used by the external node.
> +
> +Endpoint:: The endpoint which is used for connecting to this external peer (e.g.
> +192.0.2.1:51820).
> +
> +Allowed IPs:: A comma-separated list of IP addresses. When selecting this node
> +as a peer on other nodes, then this is used as the `AllowedIPs` setting in the
> +WireGuard peer configuration. They specify the addresses that are allowed for
> +incoming and outgoing traffic from/to this node.
> +
> +[[pvesdn_wireguard_interface]]
> +On The Interface
> +^^^^^^^^^^^^^^^^
> +
> +Name:: The name of the network interface on the Linux host. At most 8
> +alphanumerical characters + hyphens.
> +
> +IP::: The IPv4 address that should be configured on this interface.
> +
> +IPv6::: The IPv6 address that should be configured on this interface.
> +
> +Listen Port:: The listening port for this interface.
> +
> +Peers:: A list of peers that should be configured for that interface. All nodes
> +that are part of the fabric can be selected as peers - the peer definition will
> +be auto-generated from the configuration in the node.
> +
> +When defining an interface, then Proxmox VE automatically generates a public key
> +for that interface in `/etc/pve/priv/wg-keys.conf` upon saving the interface.
> +The public key can then be inspected in the Web UI when editing the node.
> +Deleting an interface and re-applying the SDN configuration will delete the
> +private key again.
> +
> +The fabric will also automatically generate routes for every allowed IP of every
> +peer. E.g. if an interface wg0 has two peers with 198.51.100.0/24 and
> +203.0.113.0/24 as allowed IPs, then routes for both subnets will be
> +automatically created. If the peer is the interface of a Proxmox VE node, then
> +the configured IP address will also be automatically added to the Allowed IPs in
> +the peer configuration (e.g. if the other node has 192.0.2.10/24 as IP config,
> +then 192.0.2.10/32 will be added to the allowed IPs).
> +
> +
> +[[pvesdn_wireguard_interface]]
> +On The Peer
> +^^^^^^^^^^^
forgot to amend the fix for this heading into the docs commit - this
should be `pvesdn_wireguard_peer` instead.
next prev parent reply other threads:[~2026-05-12 17:38 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-12 17:31 [PATCH cluster/docs/manager/network/proxmox{-ve-rs,-perl-rs} v5 00/29] Add WireGuard as protocol to SDN fabrics Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-cluster v5 01/29] cfs: add 'priv/wg-keys.cfg' to observed files Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 02/29] sdn-types: add wireguard-specific PersistentKeepalive api type Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 03/29] ve-config: fabrics: split interface name regex into two parts Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 04/29] ve-config: fabric: refactor fabric config entry impl using macro Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 05/29] ve-config: fabrics: add protocol-specific properties for wireguard Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 06/29] ve-config: wireguard: add private keys section config Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 07/29] ve-config: sdn: fabrics: add wireguard to the fabric config Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 08/29] ve-config: fabrics: wireguard add validation for wireguard config Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 09/29] ve-config: fabrics: implement wireguard config generation Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-perl-rs v5 10/29] pve-rs: fabrics: wireguard: generate ifupdown2 configuration Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-perl-rs v5 11/29] pve-rs: fabrics: add helpers for parsing interface property strings Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-perl-rs v5 12/29] pve-rs: sdn: wireguard: add private keys module Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-network v5 13/29] sdn: add wireguard helper module Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-network v5 14/29] fabrics: wireguard: add schema definitions for wireguard Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-network v5 15/29] fabrics: wireguard: implement wireguard key auto-generation Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 16/29] network: sdn: generate wireguard configuration on apply Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 17/29] ui: fix parsing of property-strings when values contain = Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 18/29] ui: fabrics: i18n: make node loading string translatable Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 19/29] sdn: fabrics view: handle case where interfaces are deleted Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 20/29] ui: fabrics: split node selector creation and config Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 21/29] ui: fabrics: edit: make ipv4/6 support generic over fabric panels Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 22/29] ui: fabrics: node: make ipv4/6 support generic over edit panels Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 23/29] ui: fabrics: interface: " Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 24/29] ui: fabrics: wireguard: add interface edit panel Stefan Hanreich
2026-05-12 17:41 ` Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 25/29] ui: fabrics: wireguard: add node " Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 26/29] ui: fabrics: wireguard: add fabric " Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 27/29] ui: fabrics: hook up wireguard components Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 28/29] fabrics: node edit: add option to include wireguard interfaces Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-docs v5 29/29] sdn: fabrics: add section about wireguard Stefan Hanreich
2026-05-12 17:38 ` Stefan Hanreich [this message]
2026-05-13 2:51 ` partially-applied: [PATCH cluster/docs/manager/network/proxmox{-ve-rs,-perl-rs} v5 00/29] Add WireGuard as protocol to SDN fabrics Thomas Lamprecht
2026-05-15 5:02 ` applied: " Thomas Lamprecht
2026-05-15 5:04 ` Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=df2bd2c0-b1bf-4883-a1eb-f14744e63860@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.