Rather than creating a LAN with a cloud provider's vSwitch or other proprietary networking tool, creating a dependency on them, I would much prefer to use Wireguard for portability.
But after configuring Wireguard on my Proxmox hosts, and configuring Proxmox SDN VXLAN, it seems as though there's a race condition whereby the vnet does not wait for Wireguard to initialise and as a result, it leaks transient MAC addresses to the cloud provider's network during a reboot, which subsequently triggers their automated "abuse" system. The "Unallowed" MAC addresses disappear and there's no trace of logs referencing them, and there's no evidence of leakage after wg0 comes UP. I can only assume that repeated violations of this policy will not be tolerated.
It seems as though one fix would be to split SDN networks into separate systemd services that can be configured to wait for Wireguard to complete its setup before they begin, however the thought of customising this does not appeal to me given all the things that can go wrong. As it stands, I cannot identify a simple solution. I tried systemd overrides for Wireguard and pve-cluster with the help of LLMs, but in each instance there was a deadlock.
Is this not a common problem? or is there a common workaround? I would have thought using Wireguard and Proxmox SDN together would be a common use case
But after configuring Wireguard on my Proxmox hosts, and configuring Proxmox SDN VXLAN, it seems as though there's a race condition whereby the vnet does not wait for Wireguard to initialise and as a result, it leaks transient MAC addresses to the cloud provider's network during a reboot, which subsequently triggers their automated "abuse" system. The "Unallowed" MAC addresses disappear and there's no trace of logs referencing them, and there's no evidence of leakage after wg0 comes UP. I can only assume that repeated violations of this policy will not be tolerated.
It seems as though one fix would be to split SDN networks into separate systemd services that can be configured to wait for Wireguard to complete its setup before they begin, however the thought of customising this does not appeal to me given all the things that can go wrong. As it stands, I cannot identify a simple solution. I tried systemd overrides for Wireguard and pve-cluster with the help of LLMs, but in each instance there was a deadlock.
Is this not a common problem? or is there a common workaround? I would have thought using Wireguard and Proxmox SDN together would be a common use case
Last edited: