The idea of "EVPN over wireguard" was to have all VM traffix between proxmox hosts encrypted. And I have it running like that for 2 years now without issues. So maybe you might find my setup useful, because it was simple to setup. Also I want to ask for external opinion before I switch production traffic to it.
I have a 3 node proxmox cluster setup with a wireguard tunnel between the three hosts.
I have a 3 node proxmox cluster setup with a wireguard tunnel between the three hosts.
- All the proxmox services are NOT using the wireguard bridge because I hope they anyway encrypt sensitive traffic using ssh (except ceph traffic maybe?).
- For VM traffic I am using EVPN and had it setup such that the EVPN traffic between proxmox hosts is going through encrypted wireguard tunnels. I did this simply by using the wireguard IP addresses of the proxmox hosts as EVPN peers.
- Does this setup overall make sense?
- Is there something to worry about the setup with evpn peers using wireguard IPs to encrypt the VM traffic between proxmox hosts?
- I have read several times that EVPN in proxmox is not yet be stable, but it is running smoothly over 2 years for me. Anything I should be concerned about if I now use EVPN for production workloads?
- Is it possible that the EVPN implementation in proxmox could automatically create these wireguard bridges by just ticking a checkbox somewhere?