Is it possible to create a private network (LAN) with a VPN, if yes, how?

So, hello again!

Currently I have four dedicated machines, they are not connected via cable or anything like that, but sometimes I do need for containers in different machines to communicate between them.

What I’m currently doing right now is communicating over the machine’s public IP address and port forwarding + adding a IP filter. And while this works… it is not secure, maintenance is a hassle because if I change the VM/LXC container to another machine I need to update every single application that was connecting to the app (because their IP changed) VM live migrations is impossible due to the public IP changing, and other issues.

So what I thought is hosting a VPN (with Wireguard) and connecting all the containers to my VPN, which that would technically allow me to have a “private” LAN over a VPN, and because Wireguard allows you to specify what IPs are going to go over the VPN (example: only IPs in the 192.168.0.1/16 subnet will be routed via the VPN) I wouldn’t need to worry about routing unnecessary traffic via the VPN (example: I don’t need to route a http request to Google over the VPN, but anything that is related to my containers should), yay! …but how could I do that?

While I was able to create a VPN between two VMs (and it worked fine, Wireguard is very easy to use :)), I didn’t want to setup Wireguard on every single VM/LXC container just to have a VPN connection to my “private LAN”…

What I tried doing is hosting Wireguard on the Proxmox host itself (I know… bad idea, but it was just to see what would happen) and adding the interface to the /etc/network/interfaces… but well, using wg0 as the interface name just causes Proxmox to not recognize the interface and doesn’t allow you to use it, using vmbr1 causes error on LXC container/VM startup.

I think it is possible (why wouldn’t it be? after all, you can do this manually by setting up client connections inside of the VM/container) but I can’t find any tutorial explaning how to do it (most of the threads are about OpenVPN, and sadly none of them has at least an example on how to do it). Most of the threads that I found related to this are people talking about routing all the cluster network via a VPN (which I don’t want) or hosting a VPN inside of a VM/LXC container (again, not really what I want to do).

tl;dr: Is it possible to create a private LAN between multiple machines with Wireguard in Proxmox without needing to configure Wireguard on every single VM/LXC container (allowing you to configure interfaces/IPs directly on the Proxmox interface)? If yes, how do you setup that?

This is networking, you don’t need vpn.

Create a second bridge on each proxmox host and add the CTs to it only. Create an interface bound to these bridges on each host. Add a route to each new interface to tell traffic on that bridge how to reach the isolated bridge on the other host.

Alternatively, use Vlans.

This is what I ended up doing, I was upgrading one of my dedicated servers to Proxmox 6 (woo Proxmox 5 EOL, running outdated software in production!) so due to having a bit of downtime I decided to play around with the experimental SDN support again.

I created a VXLAN network on my clusters and after a bunch of tries (I was trying to do that for three whole days, in the end I always gave up because I didn’t have the patience to keep my prod servers offline for a long time just because it didn’t want to work. This was the reason I created this post, because my VXLAN network was having issues and I just couldn’t figure out why), and it works! Currently there isn’t any encryption but the SDN plugin dev said that it may be implemented soon™️

I did have some issues with it (https://forum.proxmox.com/threads/proxmox-6-2-sdn-beta-test.69655/page-13) but looks like most of my issues were just me being dumb and not knowing a lot about networking.

I haven’t tested with something that requires a persistent connection yet, but for webapps it looks like it is working fine (nginx in machine1, reverse proxying to a app in machine2)

https://pve.proxmox.com/pve-docs/chapter-pvesdn.html

If the servers need to be isolated and separate, you can build a VPN network across the WAN and then place your hosts behind the VPN in nated network with firewall rules. You can then setup site to site routing so the servers can talk to each other freely and then only the services that need to be on the WAN are on the wan. You can buy/build routers that have firewalls + VPN services pretty cheap, just depends on your needed Bandwidth. So Site one could be 10.1.0.0/16 Site two could be 10.2.0.0/16 and site three can be 10.3.0.0/16 and VPN to VPN can routed between the sites for you.

Check out ZeroTier. I think it does exactly what you want.

I’m not really know too much about networking (I’m a developer so I never messed around too much with networking). Do you have any tutorials or explanations on how to do this? Thanks!

Um, just look up those concepts? They are networking fundamentals. It’s the same premise as your VPN idea, but without the encryption.

For someone who has “not messed around too much with networking”, you posted a pretty networking-specific question.

I ended up creating a VXLAN network, very similar to VLANs (and the Proxmox SDN plugin actually supports VLANs too) https://www.reddit.com/r/Proxmox/comments/jrc36g/is_it_possible_to_create_a_private_network_lan/gbtwxbz/

But yes, I didn’t mess too much with networking because while I know about networking (not too much, I still break stuff a lot and make dumb mistakes on my network) I’m not really a “expert” or even a “advanced” network person, that’s why I said that “I don’t know a lot about networking”, because most of the stuff I know is pretty basic stuff that I learned via tutorials or even the Proxmox docs.