Rupert Hair ruperthair

## wireguard_layer2.md

      
              1 file
            
          
              13 forks
            
          
                37 comments
              
            
              81 stars
            
          
                zOrg1331
                / wireguard_layer2.md
            
            
              Last active
              October 18, 2025 11:49
            
              
                wireguard, wireguard layer 2, wireguard over TCP
              
          
    Intro

This note describes how to connect two networks/devices/VMs over public network using Wireguard with Layer 2 support (ARP, IPv6 link-local, etc).
This can also be achieved using SSH and its "tap" tunnel, however, it does not provide the same level of latency and bandwidth as full-blown VPN such as Wireguard.
In addition, this note describes how to tunnel Wireguard over TCP connection. This may be of use if you encounter firewall in-between so, for instance, you can use TCP port 443 only.
Objective


## enable NAT and IP forwarding on Mac OS X (10.10)
# enable IP forwarding and firewall in the kernel
sudo sysctl -w net.inet.ip.forwarding=1
sudo sysctl -w net.inet.ip.fw.enable=1

#flush all FW rules
sudo pfctl -F all # or -F nat, for just the nat rules

cat ./nat-rules
nat on en0 from 192.168.1.0/24 to any -> ozelmacpro #put this line in a text file
	# enable IP forwarding and firewall in the kernel
	sudo sysctl -w net.inet.ip.forwarding=1
	sudo sysctl -w net.inet.ip.fw.enable=1

	#flush all FW rules
	sudo pfctl -F all # or -F nat, for just the nat rules

	cat ./nat-rules
	nat on en0 from 192.168.1.0/24 to any -> ozelmacpro #put this line in a text file