Using OpenBSD and vxlan to overlay remote lans
Have you ever wanted to "merge" two or more remote lans between your virtualized hosts? So did we, back when we were preparing the OpenBSD system that would act as a gateway for the du 2014 Hackathon.
Part of the scoring process of the hackathon is the ability to distinguish source and destination hardware ethernet addresses (MAC). This is easy for the clients that are directly connected to the gateway, but how do you connect an entire virtualized infrastructure that is split amongst two different ESXi servers? Enter the "Virtual Extensible LAN" (vxlan). OpenBSD has support for VXLANs since version 5.5, as stated by the OpenBSD (exceptional) manual pages
"The vxlan interface is a tunnelling pseudo-device for overlaying virtualized layer 2 networks over layer 3 networks."
The following blog post will outline the steps required to configure VXLAN tunneling between two hosts.
A bit of background
We assume we already have two OpenBSD systems and want to integrate one of them (client01) into the DMZ network hosted on the remote gateway.
Here is what the network looks like
and this is how we want to make it "look like"
The implementation
Enable packet forwarding for both hosts, as its needed for the vxlan, by ensuring the following line is present on your /etc/sysctl.conf
net.inet.ip.forwarding=1
On gw
Prepare the configuration for the bridge interface by editing the /etc/hostname.bridge0
add vxlan0 add em1 up
Reconfigure the internal interface ''em1'' in so that it only includes the following on /etc/hostname.em1
up
Prepare the configuration for the vxlan interface by editing the /etc/hostname.vxlan0
tunnel 1.1.1.1 2.2.2.2 vnetid 1 inet 10.0.0.1/24
Configure PF to allow vxlan protocol by adding something similar on your /etc/pf.conf
pass in on em0 proto udp from 2.2.2.2 to port 4789
Activate the changes or simply reboot
ifconfig em1 delete sysctl net.inet.ip.forwarding=1 sh /etc/netstart em1 sh /etc/netstart vxlan0 sh /etc/netstart bridge0
On client
Configure the vxlan interface by editing the file /etc/hostname.vxlan0
tunnel 2.2.2.2 1.1.1.1 vnetid 1 inet 10.0.0.2/24
Configure PF to allow vxlan protocol by adding something similar on your /etc/pf.conf
pass in on em0 proto udp from 1.1.1.1 to port 4789
Activate the changes or simply reboot
sysctl net.inet.ip.forwarding=1 sh /etc/netstart vxlan0
At this point client01 is available at 10.0.0.2 and the remote gw is available at 10.0.0.1. What's more as far as server is concerned, client01 is considered physically connected to the same lan.
Final notes
Please keep in mind that
- the usage outlined in this blog is for demonstration purposes only
- vxlan offers no encryption
- vxlan offers no real security
- vxlan is not a VPN solution
- UDP port 4789 is used, with all the inherited problems & benefits associated with UDP.
That being said, here are a couple of use cases where vxlans might be ideal:
- Overlay 2 remote hypervisor networks
- Make devices, that take no default gateway configuration, available to remote networks (embedded systems with messy network implementations)
- Participate on a remote lan party :)
- Testing/troubleshooting layer 2 services (dhcpd, rarpd, pxe etc)
Thanks for taking the time to read this blog post, I hope you enjoyed the reading. If you have any questions you can reach me through Twitter at @PantelisRoditis. If you require professional assistance with your OpenBSD servers feel free to contact us.