After experimenting with TINC, OpenVPN & others I found and have used
PeerVPN to do this:

PeerVPN is a full-mesh VPN and is auto-learning..

   - Ethernet tunneling support using TAP devices.
   - IPv6 support.
   - Full mesh network topology.
   - Automatically builds tunnels through firewalls and NATs without any
   further setup (for example, port forwarding).
   - Shared key encryption and authentication support.

At the time *I found PeerVPN much simpler to configure that TINC !*

A PeerVPN mesh is extremely easy to configure as you only have to install
PeerVPN on each host server and edit its config file on that server.

The brief tutorial page ( shows that config
for a basic PeerVPN only requires about 7 lines on each of your servers.

In Apr 2015 I documented a proof-of-concept test setup
I'd done to interconnect LXC containers on AWS, DIgital Ocean and here
locally (so much like you want to do I think).

*NOTE:  * that documentation *was before* my use of LXD !

*The reason I mention this is that with the advent of LXD the entire
> container IP addressing setup using PeerVPN becomes even easier ! *   This
> is because when I did those tests I never took the time to create a single
> DHCP source for all lxc containers on all hosts.   In my 2015
> proof-of-concept test of PeerVPN I just a quick & dirty config using the
> assumption that no 2 containers (for my test purposes) would get assigned
> the same 10.0.3.x IP address by their local Server/Host.

Today, LXD *during installation* allows you much more control over each
Server/Host's LXDBR0 bridge IP and the 10.x.x.x IP address range that is
used for that Host's lxc containers.

*So if you were to use PeerVPN,  during LXD installation on each server
just reserve a portion of the 10.x.x.x IP address range for each
Server/Host to avoid any possibility of any 2 containers on any 2 Hosts
getting assigned the same IP.*

The last config step on each Server/Host is to connect the PeerVPN mesh
Tunnel End Point (TEP to the local LXDBR0 bridge to enable all the
containers attached to that bridge to pass data over the VPN tunnel to the
other servers since my documentation set up a Layer 2 VPN (note PeerVPN
supports a Layer 3 tunnel as well I believe).

Since the PeerVPN TEP "interface" ... called "peervpn0" in my tutorial
example is just like any other Linux ethernet interface you only have to
use the "ip link" command to connect "peervpn0" to the LXD "lxdbr0" bridge.

*$ sudo ip link set dev peervpn0 master lxdbr0*

After you've done that on all 3 hosts your containers on all the hosts
should be able to reach each other since they would all be on what
logically is the same "ethernet" via the VPN & the fact that you setup all
of the LXD installs with the same same 10.x.x.x network.

Also, the containers on each Server/Host still get external Internet access
(if you permit it) via their local Host.

Anyway, I thought I'd send this info in case it is helpful as this should
work with servers locally or remotely using LXD.

lxc-users mailing list

Reply via email to