4 min read Network

Build global secure L2 network with GRE over Wireguard

introduction

GRE is a long-standing technology that includes GRE TAP functionality, which enables Layer 2 functionality over Layer 3. However, there are prerequisites for this feature: both endpoints must have Layer 3 connectivity (no NAT devices in between). Additionally, the lack of encryption functionality in this protocol makes it unsuitable for secure cross-WAN tunnels.

On the other hand, WireGuard effectively addresses the issue of establishing secure tunnels over the internet. However, it operates at Layer 3 (TUN), which means that many Layer 2 functionalities, such as broadcasting and multicasting, cannot be achieved. Specifically, in terms of application, this means that it is not possible to use WireGuard alone for features like automatic IP address allocation and local screen mirroring in a LAN.

The combination of these two technologies can effectively meet the requirements for Layer 2 networking over the internet.

It can achieve the following functionalities:

  1. Directly access the home LAN from a remote office, including the possibility of screen mirroring to a TV at home.
  2. Access home server resources while using the internet connection at home, even in untrusted network environments.

The overall approach is as follows:

  1. Build a WireGuard tunnel.
  2. Set up GRE Tap over IPv4 to maximize MTU utilization. If there are multiple devices that need to be networked, VXLAN technology can be used to simplify GRETAP configuration. The details of this process will be provided in the next article.
  3. Configure network bridging and VLAN on both devices.

Environment Preparation

The specific steps on two OpenWrt devices are as follows:

1. Install the necessary software packages luci-app-wireguard and luci-proto-gre, along with their dependencies, and restart the devices.
opkg update
opkg install luci-app-wireguard luci-proto-gre

2. Create a WireGuard tunnel and configure the firewall.

  • Under the network -> interface path, click "Add new interface." You can choose any name, and select the WireGuard VPN protocol.

In the General Settings tab, perform the following actions:

  • Click "generate new key pair" to generate a new key pair. The Public Key will be needed for configuration on the other peer.
  • Set the Listen Port to 65520 or any other desired number.
  • Set the IP Addresses. For the two devices, use different IP addresses: 198.18.20.1/28 (Device A) and 198.18.20.2/28 (Device B). You can choose your own IP addresses, just make sure they don't overlap with the IP range in your network.

In the Advanced Settings tab, perform the following actions:

  • Uncheck the "use default gateway" and "Delegate IPv6 prefixes" options.
  • Set the MTU to the WAN interface MTU value minus 60. If your WAN interface MTU is 1492 (common in PPPoE dial-up scenarios), then you should enter 1432 or a smaller value here. If you are using IPv6 for peer-to-peer connectivity, subtract 80 instead, so you would enter 1412.

In the "Peers" tab, perform the following actions:

  • Click "Add Peer" and enter the Public Key of Device A generated earlier in the "Public Key" field of Device B.
  • Set the Description to something that you can easily understand.
  • In the "Allowed IPs" field, enter 198.18.20.1/32 for Device B and 198.18.20.2/32 for Device A. This allows each device to access the other's IP, and the subnet mask becomes 32.
  • Check the "Route Allowed IPs" option.
  • For "EndPoint Host" and "Endpoint Port," enter the information for one of the devices. If both devices have public IP addresses, you can enter the respective information for each device. For example, in Device A, enter the WAN interface public IP of Device B and the port is Device B's Listen Port.
  • Set "Persistent Keep Alive" to a value like 25. If you haven't entered "EndPoint Host" and "Endpoint Port," then you don't need to fill this field.

With the above steps, the configuration for WireGuard is complete.

3. Configure the firewall

4. Configure the GRE tunnel.

  • Under the network -> interface path, click "Add new interface." You can choose any name, and select the "GRETAP Tunnel over IPv4" protocol.

In the General Settings tab, perform the following actions:

  • Enter the Remote IPv4 address or FQDN (the IP address of the other end of the WireGuard connection) and the Local IPv4 address (the IP address of the local WireGuard interface).

In the Advanced Settings tab, perform the following actions:

  • Override the MTU by subtracting 46 from the WireGuard MTU.
  • Uncheck the "use default gateway" and "Delegate IPv6 prefixes" options.

Configure both devices with the above settings, and you will have a Layer 2 connection with VLAN support.

5. Configure the switch

Next, you can configure the bridge according to your needs. The recommended approach is to add the Bridge ports in the br-lan device (you need to manually enter the device name, which can be found on the interface page and starts with gre4t-tap_ followed by your GRE tunnel name). Use Bridge VLAN filtering for management.

Jimmy