Linux + WireGuard does most of what you need easily and all of what you described with some effort. I’d use a separate egg tunnel for each VRF rather than trying your mix them, but you do you. Owen
On Mar 12, 2026, at 19:58, Mark Tinka via NANOG <nanog@lists.nanog.org> wrote:
On 12/03/2026 20:25, Bryan Holloway via NANOG wrote:
* OSPF - each VRF should have its own instance, so we need something that supports interface-based tunneling since IPsec doesn't handle multicast well. Open to other tunneling strategies. Wireguard? OpenVPN?
We've built a DCN network for our optical backbone based on pfSense and FreeBSD with WireGuard, OSPF and BGP, across diverse DIA links in each data centre.
Works pretty good.
WireGuard is awesome! Can't imagine how we made IPSec work :-)...
Mark. _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/5QSGH5FP...