TL;DR
A Hacker News thread asked whether to layer VXLAN on top of WireGuard or the other way around when crossing public networks. Commenters highlighted trust boundaries, encryption, MTU overhead and asked what specific problem the asker is trying to solve.
What happened
A recent Ask HN post raised the question of whether to place VXLAN over WireGuard or WireGuard over VXLAN when sending traffic across public networks, with the poster noting that deep recursion (for example WireGuard inside VXLAN inside WireGuard) is inadvisable. Respondents pointed to the OpenBSD VXLAN manual, which advises that VXLAN is intended for trusted environments, and argued that putting VXLAN inside an encrypted tunnel such as WireGuard or IPsec may be safer. Other contributors asked about the use case and why networks are being linked across the public internet. Practical concerns surfaced: WireGuard was described as a layer‑3 transport, VXLAN as a layer‑2‑like encapsulation carried over layer 3, only WireGuard and IPsec were noted as providing encryption, and extra encapsulation was flagged for reducing effective MTU and raising fragmentation risk. One commenter compared the pattern to layered routing practices used inside large providers.
Why it matters
- Layer order affects security: VXLAN assumes a trusted underlay while WireGuard provides encryption for untrusted links.
- Additional encapsulation reduces usable MTU and can increase packet fragmentation and complexity.
- Operational visibility and troubleshooting change depending on whether you carry L2 (VXLAN) or L3 (WireGuard) across the tunnel.
- Choosing the wrong layering can expose traffic on untrusted networks or add unnecessary overhead.
Key facts
- The original poster asked whether to run VXLAN over WireGuard or WireGuard over VXLAN for traversal of public networks.
- A respondent cited the OpenBSD VXLAN manual, noting VXLAN is intended for use in trusted environments.
- Several commenters recommended placing VXLAN inside an encrypted tunnel (WireGuard or IPsec) rather than exposing VXLAN over the public internet.
- WireGuard was described in the thread as a layer‑3 transport.
- VXLAN was described as a layer‑2‑like encapsulation that runs over layer 3.
- Only WireGuard and IPsec were mentioned as providing encryption for in‑transit traffic in the discussion.
- Additional headers from encapsulation reduce the maximum usable packet size and can cause fragmentation or partial packet loss.
- Some commenters asked the original poster to explain their intended use case and why networks needed linking over the public internet.
What to watch next
- MTU and fragmentation effects from added encapsulation when combining VXLAN and WireGuard.
- Whether the VXLAN traffic will traverse untrusted public networks or remain within a controlled, trusted underlay.
- Whether an encrypted underlay (WireGuard or IPsec) will be used to protect VXLAN encapsulated traffic.
Quick glossary
- VXLAN: An encapsulation protocol that extends layer‑2 networks over layer‑3 infrastructure, commonly used for virtualized network overlays.
- WireGuard: A lightweight VPN protocol that provides encrypted point‑to‑point layer‑3 tunnels between endpoints.
- IPsec: A suite of protocols for securing IP communications by authenticating and encrypting each IP packet of a communication session.
- MTU: Maximum Transmission Unit; the largest size of a packet that can be transmitted without fragmentation on a network path.
Reader FAQ
Which order is definitively better: VXLAN over WireGuard or WireGuard over VXLAN?
Commenters did not reach a single definitive rule, though several suggested running VXLAN inside an encrypted tunnel (e.g., WireGuard) because VXLAN is intended for trusted underlays.
Is nesting multiple tunnels (recursive layering) recommended?
The original post and respondents advised against deep recursive setups such as WireGuard inside VXLAN inside WireGuard.
Does VXLAN provide encryption on its own?
No; the discussion noted that VXLAN does not provide encryption and that WireGuard or IPsec would be needed to encrypt traffic in transit.
Does Google use a similar layered approach internally?
A commenter claimed Google uses layered routing internally, but that assertion is not confirmed in the source.
Hacker Newsnew | past | comments | ask | show | jobs | submit login Ask HN: Vxlan over WireGuard or WireGuard over Vxlan? 15 points by mlhpdx 2 hours…
Sources
- Ask HN: Vxlan over WireGuard or WireGuard over Vxlan?
- Extending a VXLAN across nodes with Wireguard
- VXLAN over WireGuard
- VXLAN over Wireguard with VLAN-VNI mapping [closed]
Related posts
- Open Sourcing Dicer: Databricks’ Auto-Sharder for Low-Latency, Resilient Services
- Running Lean at Scale: building a REPL service for distributed theorem proving
- When two witnesses add nothing: coin-flip voting paradox explained