Re: [RFC manager/network/proxmox{,-ve-rs,-perl-rs} v2 00/25] Add WireGuard as protocol to SDN fabrics

[Stefan Hanreich <s.hanreich@proxmox.com>]

On 4/2/26 3:57 PM, Gabriel Goller wrote:
> Will have a look at the code later, but some high-level (mostly ui) stuff in
> the meantime:
> 
>  * when deleting a node referenced as a peer by another node, one gets this
>    confusing message: "deleting node failed: peer configuration references
>    non-existing interface (500)" (maybe include which node uses the peer)

done

>  * "Endpoint" is a bit confusing, maybe add a tooltip or default text (same on "Allowed IPs")

done, added a default text on both

>  * maybe a nicer error message when the first wg command (wg genkey) fails
>    (mention that wireguard-tools has to be installed)

done

>  * would it be possible (and sensible) that a peer is autoselected so
>    bidirectional traffic is possible by default. e.g. when creating a node and
>    adding a peer, the new node is added as a peer in the existing nodes (which have
>    been selected as peers from the new node). Otherwise it's quite exhausting
>    right now adding a new node, selecting all the peers and then needing to go
>    through and edit all the other existing nodes and checking the newly
>    added peer. Of course it's maybe a bit magicky, but at least it improves the
>    usability?

I guess it makes sense, but isn't necessarily required? I'd rather keep
the current behavior and implement something like the "auto-fullmeshify"
UI function mentioned in the cover letter in PVE/PDM.

>  * when generating the ifupdown2 config, a newline above `auto wg0` would be nice.

done

>  * when setting an ipv6 address we need to add a warning "enable ipv6 forwarding
>    globally" like in the other fabrics.

It isn't unconditionally required, since if you just configure a subnet
on the interface and only want to reach the hosts inside that subnet
forwarding doesn't need to be enabled. It could actually be a bit of a
security issues then imo if some less-knowledgable users see the warning
and then enabling routing for IPv6 on their hosts even if it isn't
required. Showing this conditionally (only if required) could also be
hard in the UI :/. Potentially add this to the documentation instead?