BGP over VPN tunnel is it a good idea?

Before you ask, We already have ASN and public IP blocks from a RIR

We already have some servers colocated in a datacenter, they are providing us the BGP peering.

Here is issue,
we want to take one of the /24 blocks and use it in our office. We want to deploy some servers in our office make them accessable from outside.

We do have multiple Internet connection in our office but sadly they do not provide BGP peering.

My question is if we create a wiregard tunnel server in our Datacenter co location, and connect our office router to it and advertise the ip blocks this way, will it reliable enough to host the online services this way?

I’d leave all BGP peering in DC and build the wg tunnels between the DC and office. Then I’d route the selected /24 internally across the tunnels. You can use whatever for internal routing of that /24 network. It’s your after all.

Consider the bandwidth consumed over the tunnels and also the latency. Might not be a good idea to put servers in your office if there’s a hungry app running on them.

Also, bear in mind the load that you’d put on the CPUs of servers handling the wg crypto tasks in case of heavy traffic.

Bottom line, anything’s doable but consider the impact on the underlaying links of the wireguard tunnels.

You may also consider using that /24 on a VxLAN betwen your DC and office. You’d have it in both locations if needed.

You should move your public facing things to the datacenter.

​

Nothing that relies on a wireguard tunnel should be exposed to customers, that’s just a bad design.

​

At a minimum I’d have IPSec tunnels from the DC to your office and have the public traffic hit the datacenter before coming down

I would do ipsec from the DC to the office and announce the office server routes (using RFC1918) to the DC via the routing protocol of your choosing. I would then NAT those those private addresses to the public IPs at your DC…

Work good, never any real problems as long you have capacity on the link. But no need for BGP for this you can create static route for the /24 over tunnel.

Why not get a lit Ethernet from office to the DC instead? Perhaps an IPSec tunnel as backup.

Can’t talk about WireGuard, but it’s extremely common to do eBGP multihop over a VPN, particularly a route-based (VTI) VPN because it essentially uses 0.0.0.0 as the interesting traffic filter on both sides, so you need to use a routing protocol to determine what traffic to tunnel. Typically, a VPN to Azure would be set up like this.

I personally never tried to create a setup like this,
Is there any technical reason which I might missed, why wiregard might not be as reliable as IPSec?

The DC is about 30 Miles away. Not a easy task.

IPsec is time tested, and supported by most enterprise networking hardware. Sending production network traffic through a server is problematic

What? Unless you are in the middle of nowhere, you probably have at least one carrier that can do it for a reasonable cost.