/tags/bird/Recent content in Bird on Yet Another SysAdmin WebsiteHugo -- gohugo.ioen-us2026-04-10/blog/2026/04/10/toying-with-ospf-over-wireguard-on-freebsd/2026-04-10/blog/2026/04/10/toying-with-ospf-over-wireguard-on-freebsd/<h2 id="introduction">Introduction</h2> <p>For almost a decade, I have been operating my own mesh overlay network using a combination of point to point OpenVPN tunnels with OSPF on top. It was well automated with Ansible and served me well all these years.</p> <p>I decided it was time I tried to move this to Wireguard instead and spent a bit of time making it all work. This article does not explain everything I did, but will present some lessons I learned in the process.</p> <h2 id="routing-ospf-over-wireguard">Routing OSPF over Wireguard</h2> <p>By default, Wireguard encourages you to only allow the minimum set of IP prefixes over a Wireguard tunnel. It filters only that traffic, and conveniently populates a host&rsquo;s routing table with static routes to the tunnel for each allowed prefix.</p> <p>Wireguard also supports configuring multiple peers for a single Wireguard interface which is very convenient, but sadly cannot work with OSPF. Wireguard uses the allowed IP prefixes to decide which peer will receive a packet, and this is incompatible with a protocol that relies on multicast traffic in order to work. I therefore need one Wireguard interface per peer over which to run OSPF.</p> <p>Also since I need to route traffic for dynamically learned routes, the allowed IP filters pretty much need to be <code>0.0.0.0/0, ::/0</code> and cover everything. In practice I could also use the more restrictive <code>10/8, 172.16/12, 192.168/16, 224.0.0.5, 224.0.0.6, fd00::/8, fe80::/10, ff02::5, ff02::6</code>.</p> <p>Since I cannot have Wireguard insert multiple identical routes for all my Wireguard interfaces, I also need to disable this functionality. When using the popular <code>wg-quick</code> method, one needs to add <code>Table = off</code> to the <code>[Interface]</code> configuration. The native implementations do not need this, it is really only for <code>wg-quick</code>.</p> <p>My FreeBSD <code>/etc/start_if.wg0</code> config therefore looks like:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">ifconfig wg0 create up description <span class="s2">&#34;laptop&#34;</span> </span></span><span class="line"><span class="cl">ifconfig wg0 inet 172.31.254.0/31 </span></span><span class="line"><span class="cl">ifconfig wg0 inet6 fd00:172:31:254::/127 </span></span><span class="line"><span class="cl">ifconfig wg0 inet6 fe80::/64 </span></span><span class="line"><span class="cl">wg syncconf wg0 /etc/wg0.conf </span></span></code></pre></div><p>And the corresponding <code>/etc/wg0.conf</code> looks like:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="o">[</span>Interface<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">PrivateKey</span> <span class="o">=</span> gFAoJwJSfA0A8g+FhfxHLWXj6+CZdmPH4EW5pghqv30<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="nv">ListenPort</span> <span class="o">=</span> <span class="m">342</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>Peer<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">PublicKey</span> <span class="o">=</span> bAg8bmMQxPFoNSG+Qq2VteCW4VUsi//VleBQBNa5Mno<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="nv">AllowedIPs</span> <span class="o">=</span> 0.0.0.0/0,::/0 </span></span></code></pre></div><h2 id="freebsd-vs-linux-bridge-and-wireguard-interfaces">FreeBSD vs Linux bridge and wireguard interfaces</h2> <p>On FreeBSD, I had a little trouble making OSPF v3 (for IPv6) work on a detached bridge interface (that I use for VNET jails), and on a wireguard interface.</p> <p>The problem was that FreeBSD does not generate link-local IPv6 addresses for these kinds of interfaces, because they are not backed by a MAC address. And it turns out that the Bird routing daemon needs these link-local IPv6 addresses in order to work in point-to-point mode!</p> <p>Luckily these are in effect point-to-point interfaces, so it matters very little which link-local address I set manually. I just used <code>fe80::/64</code> everywhere and it worked.</p> <p>Linux does not have this issue and will assign random link-local addresses to all its interfaces which really made this a confusing debugging session.</p> <h2 id="some-pf-configuration-rules">Some PF configuration rules</h2> <p>While not something I learned this time around, I will record here that one can allow OSPF traffic via PF with:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">table &lt;myself&gt; const <span class="o">{</span> self <span class="o">}</span> </span></span><span class="line"><span class="cl">table &lt;private&gt; const <span class="o">{</span> 10/8, 172.16/12, 192.168/16, fd00::/8, fe80::/10 <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">pass out from &lt;myself&gt; to any </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">pass on <span class="o">{</span> wg0, wg1 <span class="o">}</span> from &lt;private&gt; to &lt;private&gt; </span></span><span class="line"><span class="cl">pass on <span class="o">{</span> wg0, wg1 <span class="o">}</span> proto ospf allow-opts </span></span></code></pre></div><h2 id="some-bird-configuration">Some Bird configuration</h2> <p>Here is a basic Bird3 configuration to reproduce my setup:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">log syslog all<span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">router id 172.31.253.1<span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">protocol device <span class="o">{</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">protocol direct <span class="o">{</span> </span></span><span class="line"><span class="cl"> disabled<span class="p">;</span> </span></span><span class="line"><span class="cl"> ipv4<span class="p">;</span> </span></span><span class="line"><span class="cl"> ipv6<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">protocol kernel <span class="o">{</span> </span></span><span class="line"><span class="cl"> ipv4 <span class="o">{</span> <span class="nb">export</span> all<span class="p">;</span> <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> persist<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">protocol kernel <span class="o">{</span> </span></span><span class="line"><span class="cl"> ipv6 <span class="o">{</span> <span class="nb">export</span> all<span class="p">;</span> <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> persist<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">protocol static <span class="o">{</span> ipv4<span class="p">;</span> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">protocol ospf v2 ospf4 <span class="o">{</span> </span></span><span class="line"><span class="cl"> area <span class="m">0</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> interface <span class="s2">&#34;bridge0&#34;</span> <span class="o">{</span> stub<span class="p">;</span> <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> interface <span class="s2">&#34;wg0&#34;</span> <span class="o">{</span> bfd yes<span class="p">;</span> cost 100<span class="p">;</span> <span class="nb">type</span> ptp<span class="p">;</span> <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> interface <span class="s2">&#34;wg1&#34;</span> <span class="o">{</span> bfd yes<span class="p">;</span> cost 100<span class="p">;</span> <span class="nb">type</span> ptp<span class="p">;</span> <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">protocol ospf v3 ospf6 <span class="o">{</span> </span></span><span class="line"><span class="cl"> area <span class="m">0</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> interface <span class="s2">&#34;bridge0&#34;</span> <span class="o">{</span> stub<span class="p">;</span> <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> interface <span class="s2">&#34;wg0&#34;</span> <span class="o">{</span> bfd yes<span class="p">;</span> cost 100<span class="p">;</span> <span class="nb">type</span> ptp<span class="p">;</span> <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> interface <span class="s2">&#34;wg1&#34;</span> <span class="o">{</span> bfd yes<span class="p">;</span> cost 100<span class="p">;</span> <span class="nb">type</span> ptp<span class="p">;</span> <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">protocol bfd <span class="o">{</span> </span></span><span class="line"><span class="cl"> interface <span class="s2">&#34;wg*&#34;</span> <span class="o">{}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></div><h2 id="conclusion">Conclusion</h2> <p>I cannot say yet if I will rewrite my Ansible automation for OSPF over Wireguard, but I certainly had fun figuring these out. I will probably toy with BGP again next, just because it is also &ldquo;fun&rdquo; to redistribute routes this way.</p>