wgX iface as slave to a bridge - Linux

Ivan Labáth labawi-wg at matrix-dream.net
Tue Apr 27 19:49:00 UTC 2021

Normally, you would use routing (L3) instead of bridging (L2).
Conceptually, the connectivity should work about the same,
as long as you configure your routes and enable forwarding.
Routes need to be configured on the host, not container-only,
but if assign a subnet to a bridge, devices can use addresses
from it without intervention on the host.

If you want roaming addresses, you could do live route
updates on your wireguard links and host routing table
for a native L3 solution. For a pre-existing automated
solution, you can use a some kind of routing service,
usually with multiple additional layers of encapsulation,
as others have mentioned.


On Sun, Apr 25, 2021 at 02:13:24PM +0100, lejeczek wrote:
> On 25/04/2021 13:21, Chriztoffer Hansen wrote:
> > What is your use case behind the question?
> >
> Containers. Simple (but also can be complex too as scales 
> easily) case where containers would be glued together and be 
> able to communicate across nodes/hosts via wireguard 
> tunnel/link.
> I'm looking at it from a 'regular' admin standpoint.
> Then it'd be just one wiregurard host-to-host link which all 
> container could utilize, as oppose to separate wireguard 
> for/in each container.
> many thanks, L.

More information about the WireGuard mailing list