bhyve Bridging a vm to a wireguard interface

[chief]

Hey
Im looking to see if anyone can suggest a clever way to bridge a wireguard interface to a bhyve vm, the end goal is to isolate that vm to a specific wg tunnel to prevent it from accessing local network.
I would like to avoid having a routed setup for now where a vm is bridged to tapX on bridgeX and then routed and firewalled via rules on the host.
So im looking for a more elegant solution, for example on linux containers i used to create a wireguard interface and move it a container namespace to achieve this, ofcouse that is not possible with the vms.

 

[NapoleonWils0n]

what about setfib

 

[chief]

what about setfib

Im not very familiar with setfib but from a quick search, doesn't it only deal with setting a unique routing table per namespace ?

 

[NapoleonWils0n]

i use setfib with openvpn,
then i can set either gui apps or command line applications to use the vpn

 

[chief]

i use setfib with openvpn,
then i can set either gui apps or command line applications to use the vpn

Thanks, but im not sure that it would work for my case as i am looking for complete isolation of the vm, if i were to use setfib it would allow my vm to have a separate gw/route which i could essentially achive with the bridgeX/tapX interfaces and pf

 

[chief]

I have found a satisfying solution by using vxlans.
Setup looks something like this
gw server: setup wg, create vxlan using wg tunnel ip

vm host: setup wg, create vxlan over wg tunnel ip, add vxlanX to bridge, add tap0 to bridge
vm: Assign vxlan subnet ip to the interface

This allows for the vm to be isolated to the tunnel.