From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: Re: [PATCH pve-docs v5 29/29] sdn: fabrics: add section about wireguard
Date: Tue, 12 May 2026 19:38:03 +0200 [thread overview]
Message-ID: <df2bd2c0-b1bf-4883-a1eb-f14744e63860@proxmox.com> (raw)
In-Reply-To: <20260512173145.596958-30-s.hanreich@proxmox.com>
On 5/12/26 7:30 PM, Stefan Hanreich wrote:
> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
> ---
> pvesdn.adoc | 100 ++++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 100 insertions(+)
>
> diff --git a/pvesdn.adoc b/pvesdn.adoc
> index d20a0eb..1e83495 100644
> --- a/pvesdn.adoc
> +++ b/pvesdn.adoc
> @@ -769,6 +769,106 @@ NOTE: The dummy interface will automatically be configured as `passive`. Every
> interface which doesn't have an ip-address configured will be treated as a
> `point-to-point` link.
>
> +[[pvesdn_wireguard]]
> +WireGuard
> +~~~~~~~~~
> +
> +WireGuard can be used for establishing a VPN between Proxmox VE nodes and / or
> +external nodes. It does not provide dynamic routing by itself, but can be used
> +in conjunction with dynamic routing protocols operating on layer 3 and above
> +(OSPF, BGP) to provide a dynamically routed, encrypted transport for e.g. EVPN
> +or VXLAN.
> +
> +NOTE: In order to use WireGuard, the package `wireguard-tools` needs to be
> +installed.
> +
> +Configuration options:
> +
> +[[pvesdn_wireguard_fabric]]
> +On the Fabric
> +^^^^^^^^^^^^^
> +
> +Name:: This is the name of the WireGuard fabric and can be at most 8 characters
> +long.
> +
> +Persistent Keepalive:: If this is set, then WireGuard will send an empty
> +authenticated packet every N seconds to each configured peer. This can help
> +keeping connections alive when using stateful firewalls or NAT.
> +
> +[[pvesdn_wireguard_node]]
> +On the Node
> +^^^^^^^^^^^
> +
> +There are two types of nodes: internal and external. Internal nodes are Proxmox
> +VE nodes, external nodes everything else. They are essentially reusable peer
> +definitions that can be used across the whole cluster.
> +
> +.Internal
> +
> +Endpoint:: This is the IP or hostname that other Proxmox VE nodes should use for
> +connecting to this Proxmox VE node. This is used as the endpoint when
> +configuring this Proxmox VE node as a peer.
> +
> +Allowed IPs:: A comma-separated list of IP addresses. When selecting this node
> +as a peer on other nodes, then this is used as the `AllowedIPs` setting in the
> +WireGuard peer configuration. They specify the addresses that are allowed for
> +incoming and outgoing traffic from/to this node.
> +
> +.External
> +
> +Name:: The name of the external node.
> +
> +Public Key:: The public key used by the external node.
> +
> +Endpoint:: The endpoint which is used for connecting to this external peer (e.g.
> +192.0.2.1:51820).
> +
> +Allowed IPs:: A comma-separated list of IP addresses. When selecting this node
> +as a peer on other nodes, then this is used as the `AllowedIPs` setting in the
> +WireGuard peer configuration. They specify the addresses that are allowed for
> +incoming and outgoing traffic from/to this node.
> +
> +[[pvesdn_wireguard_interface]]
> +On The Interface
> +^^^^^^^^^^^^^^^^
> +
> +Name:: The name of the network interface on the Linux host. At most 8
> +alphanumerical characters + hyphens.
> +
> +IP::: The IPv4 address that should be configured on this interface.
> +
> +IPv6::: The IPv6 address that should be configured on this interface.
> +
> +Listen Port:: The listening port for this interface.
> +
> +Peers:: A list of peers that should be configured for that interface. All nodes
> +that are part of the fabric can be selected as peers - the peer definition will
> +be auto-generated from the configuration in the node.
> +
> +When defining an interface, then Proxmox VE automatically generates a public key
> +for that interface in `/etc/pve/priv/wg-keys.conf` upon saving the interface.
> +The public key can then be inspected in the Web UI when editing the node.
> +Deleting an interface and re-applying the SDN configuration will delete the
> +private key again.
> +
> +The fabric will also automatically generate routes for every allowed IP of every
> +peer. E.g. if an interface wg0 has two peers with 198.51.100.0/24 and
> +203.0.113.0/24 as allowed IPs, then routes for both subnets will be
> +automatically created. If the peer is the interface of a Proxmox VE node, then
> +the configured IP address will also be automatically added to the Allowed IPs in
> +the peer configuration (e.g. if the other node has 192.0.2.10/24 as IP config,
> +then 192.0.2.10/32 will be added to the allowed IPs).
> +
> +
> +[[pvesdn_wireguard_interface]]
> +On The Peer
> +^^^^^^^^^^^
forgot to amend the fix for this heading into the docs commit - this
should be `pvesdn_wireguard_peer` instead.
next prev parent reply other threads:[~2026-05-12 17:38 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-12 17:31 [PATCH cluster/docs/manager/network/proxmox{-ve-rs,-perl-rs} v5 00/29] Add WireGuard as protocol to SDN fabrics Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-cluster v5 01/29] cfs: add 'priv/wg-keys.cfg' to observed files Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 02/29] sdn-types: add wireguard-specific PersistentKeepalive api type Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 03/29] ve-config: fabrics: split interface name regex into two parts Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 04/29] ve-config: fabric: refactor fabric config entry impl using macro Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 05/29] ve-config: fabrics: add protocol-specific properties for wireguard Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 06/29] ve-config: wireguard: add private keys section config Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 07/29] ve-config: sdn: fabrics: add wireguard to the fabric config Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 08/29] ve-config: fabrics: wireguard add validation for wireguard config Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-ve-rs v5 09/29] ve-config: fabrics: implement wireguard config generation Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-perl-rs v5 10/29] pve-rs: fabrics: wireguard: generate ifupdown2 configuration Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-perl-rs v5 11/29] pve-rs: fabrics: add helpers for parsing interface property strings Stefan Hanreich
2026-05-12 17:31 ` [PATCH proxmox-perl-rs v5 12/29] pve-rs: sdn: wireguard: add private keys module Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-network v5 13/29] sdn: add wireguard helper module Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-network v5 14/29] fabrics: wireguard: add schema definitions for wireguard Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-network v5 15/29] fabrics: wireguard: implement wireguard key auto-generation Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 16/29] network: sdn: generate wireguard configuration on apply Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 17/29] ui: fix parsing of property-strings when values contain = Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 18/29] ui: fabrics: i18n: make node loading string translatable Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 19/29] sdn: fabrics view: handle case where interfaces are deleted Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 20/29] ui: fabrics: split node selector creation and config Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 21/29] ui: fabrics: edit: make ipv4/6 support generic over fabric panels Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 22/29] ui: fabrics: node: make ipv4/6 support generic over edit panels Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 23/29] ui: fabrics: interface: " Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 24/29] ui: fabrics: wireguard: add interface edit panel Stefan Hanreich
2026-05-12 17:41 ` Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 25/29] ui: fabrics: wireguard: add node " Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 26/29] ui: fabrics: wireguard: add fabric " Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 27/29] ui: fabrics: hook up wireguard components Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-manager v5 28/29] fabrics: node edit: add option to include wireguard interfaces Stefan Hanreich
2026-05-12 17:31 ` [PATCH pve-docs v5 29/29] sdn: fabrics: add section about wireguard Stefan Hanreich
2026-05-12 17:38 ` Stefan Hanreich [this message]
2026-05-13 2:51 ` partially-applied: [PATCH cluster/docs/manager/network/proxmox{-ve-rs,-perl-rs} v5 00/29] Add WireGuard as protocol to SDN fabrics Thomas Lamprecht
2026-05-15 5:02 ` applied: " Thomas Lamprecht
2026-05-15 5:04 ` Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=df2bd2c0-b1bf-4883-a1eb-f14744e63860@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox