Using OpenBSD and vxlan to overlay remote lans

Have you ever wanted to "merge" two or more remote lans between your virtualized hosts? So did we, back when we were preparing the OpenBSD system that would act as a gateway for the du 2014 Hackathon.

Part of the scoring process of the hackathon is the ability to distinguish source and destination hardware ethernet addresses (MAC). This is easy for the clients that are directly connected to the gateway, but how do you connect an entire virtualized infrastructure that is split amongst two different ESXi servers? Enter the "Virtual Extensible LAN" (vxlan). OpenBSD has support for VXLANs since version 5.5, as stated by the OpenBSD (exceptional) manual pages

"The vxlan interface is a tunnelling pseudo-device for overlaying virtualized layer 2 networks over layer 3 networks."

The following blog post will outline the steps required to configure VXLAN tunneling between two hosts.

A bit of background

We assume we already have two OpenBSD systems and want to integrate one of them (client01) into the DMZ network hosted on the remote gateway.

Here is what the network looks like

Existing network topology

and this is how we want to make it "look like"

Network topology after modification

The implementation

Enable packet forwarding for both hosts, as its needed for the vxlan, by ensuring the following line is present on your /etc/sysctl.conf

net.inet.ip.forwarding=1

On gw

Prepare the configuration for the bridge interface by editing the /etc/hostname.bridge0

add vxlan0
add em1
up

Reconfigure the internal interface ''em1'' in so that it only includes the following on /etc/hostname.em1

up

Prepare the configuration for the vxlan interface by editing the /etc/hostname.vxlan0

tunnel 1.1.1.1 2.2.2.2 vnetid 1
inet 10.0.0.1/24

Configure PF to allow vxlan protocol by adding something similar on your /etc/pf.conf

pass in on em0 proto udp from 2.2.2.2 to port 4789

Activate the changes or simply reboot

ifconfig em1 delete
sysctl net.inet.ip.forwarding=1
sh /etc/netstart em1
sh /etc/netstart vxlan0
sh /etc/netstart bridge0

On client

Configure the vxlan interface by editing the file /etc/hostname.vxlan0

tunnel 2.2.2.2 1.1.1.1 vnetid 1
inet 10.0.0.2/24

Configure PF to allow vxlan protocol by adding something similar on your /etc/pf.conf

pass in on em0 proto udp from 1.1.1.1 to port 4789

Activate the changes or simply reboot

sysctl net.inet.ip.forwarding=1
sh /etc/netstart vxlan0

At this point client01 is available at 10.0.0.2 and the remote gw is available at 10.0.0.1. What's more as far as server is concerned, client01 is considered physically connected to the same lan.

Final notes

Please keep in mind that

  • the usage outlined in this blog is for demonstration purposes only
  • vxlan offers no encryption
  • vxlan offers no real security
  • vxlan is not a VPN solution
  • UDP port 4789 is used, with all the inherited problems & benefits associated with UDP.

That being said, here are a couple of use cases where vxlans might be ideal:

  • Overlay 2 remote hypervisor networks
  • Make devices, that take no default gateway configuration, available to remote networks (embedded systems with messy network implementations)
  • Participate on a remote lan party :)
  • Testing/troubleshooting layer 2 services (dhcpd, rarpd, pxe etc)

Thanks for taking the time to read this blog post, I hope you enjoyed the reading. If you have any questions you can reach me through Twitter at @PantelisRoditis. If you require professional assistance with your OpenBSD servers feel free to contact us.

References

Tags: