Static routes over VPN tunnels work until you have multiple tunnels, need failover, or manage complex topologies. Then you want routing protocols to handle the complexity.
Running OSPF or BGP over tunnels adds resilience. If a tunnel goes down, the routing protocol detects it and converges to alternate paths. But tunnels add latency, may not support multicast, and need careful interface selection.
Routing over tunnels requires careful planning — but it’s worth it for resilient networks.
Tunnel Types and Routing Support
| Tunnel Type | OSPF | BGP | Notes |
|---|---|---|---|
| GRE | Yes (multicast) | Yes | Full support |
| IPsec VTI | Yes (unicast) | Yes | No multicast |
| WireGuard | Yes (unicast) | Yes | No multicast |
| OpenVPN | Yes (unicast) | Yes | No multicast |
Multicast vs Unicast OSPF
# GRE supports multicast (normal OSPF)set protocols ospf interface tun0 area 0
# IPsec VTI/WireGuard need unicast neighborsset protocols ospf interface wg0 area 0set protocols ospf neighbor 10.255.0.2 # Explicit neighborOSPF Over GRE
GRE Tunnel Setup
configure
# GRE tunnelset interfaces tunnel tun0 encapsulation greset interfaces tunnel tun0 source-address 203.0.113.1set interfaces tunnel tun0 remote 198.51.100.1set interfaces tunnel tun0 address 10.255.0.1/30set interfaces tunnel tun0 mtu 1476
commitOSPF Configuration
configure
# OSPF over GRE (multicast works)set protocols ospf interface tun0 area 0set protocols ospf interface tun0 network point-to-pointset protocols ospf interface tun0 hello-interval 10set protocols ospf interface tun0 dead-interval 40
# Advertise tunnel networkset protocols ospf area 0 network 10.255.0.0/30
# Advertise local networksset protocols ospf area 0 network 192.168.1.0/24
commitVerify OSPF
# Check neighborsshow ip ospf neighbor
# Should show neighbor via tun0# Neighbor ID Pri State Dead Time Address Interface# 10.255.0.2 1 Full/- 00:00:32 10.255.0.2 tun0
# Check routesshow ip route ospfOSPF Over IPsec (VTI)
IPsec VTI Setup
configure
# IPsec VTI (route-based VPN)set vpn ipsec interface eth0set vpn ipsec esp-group ESP proposal 1 encryption aes256gcm128set vpn ipsec esp-group ESP proposal 1 hash sha256set vpn ipsec ike-group IKE proposal 1 encryption aes256set vpn ipsec ike-group IKE proposal 1 hash sha256set vpn ipsec ike-group IKE proposal 1 dh-group 14
set vpn ipsec site-to-site peer 198.51.100.1 authentication mode pre-shared-secretset vpn ipsec site-to-site peer 198.51.100.1 authentication pre-shared-secret "secret"set vpn ipsec site-to-site peer 198.51.100.1 connection-type initiateset vpn ipsec site-to-site peer 198.51.100.1 ike-group IKEset vpn ipsec site-to-site peer 198.51.100.1 local-address 203.0.113.1set vpn ipsec site-to-site peer 198.51.100.1 vti bind vti0set vpn ipsec site-to-site peer 198.51.100.1 vti esp-group ESP
# VTI interfaceset interfaces vti vti0 address 10.255.0.1/30set interfaces vti vti0 mtu 1400
commitOSPF Over VTI (No Multicast)
configure
# OSPF needs explicit neighbor (no multicast over IPsec)set protocols ospf interface vti0 area 0set protocols ospf interface vti0 network point-to-pointset protocols ospf neighbor 10.255.0.2
commitOSPF Over WireGuard
WireGuard Setup
configure
# WireGuard interfaceset interfaces wireguard wg0 address 10.255.0.1/30set interfaces wireguard wg0 port 51820set interfaces wireguard wg0 private-key <your-private-key>
# Peer configurationset interfaces wireguard wg0 peer PEER1 public-key <peer-public-key>set interfaces wireguard wg0 peer PEER1 allowed-ips 0.0.0.0/0set interfaces wireguard wg0 peer PEER1 endpoint 198.51.100.1:51820set interfaces wireguard wg0 peer PEER1 persistent-keepalive 25
commitOSPF Over WireGuard
configure
# OSPF with explicit neighborset protocols ospf interface wg0 area 0set protocols ospf interface wg0 network point-to-pointset protocols ospf neighbor 10.255.0.2
# BFD for faster failoverset protocols ospf interface wg0 bfd
commitBGP Over Tunnels
BGP is easier — it uses TCP unicast, works over any tunnel.
BGP Over WireGuard
configure
# WireGuard tunnel (as above)# ...
# BGP over WireGuardset protocols bgp system-as 65001set protocols bgp neighbor 10.255.0.2 remote-as 65002set protocols bgp neighbor 10.255.0.2 update-source wg0set protocols bgp neighbor 10.255.0.2 address-family ipv4-unicast
commitBGP Over IPsec VTI
configure
# IPsec VTI (as above)# ...
# BGP over VTIset protocols bgp system-as 65001set protocols bgp neighbor 10.255.0.2 remote-as 65002set protocols bgp neighbor 10.255.0.2 update-source vti0set protocols bgp neighbor 10.255.0.2 address-family ipv4-unicast
# BFD for fast failoverset protocols bgp neighbor 10.255.0.2 bfd
commitMulti-Tunnel Design
Hub and Spoke with OSPF
[Spoke1] │ wg1 ┌─────┴─────┐ │ │ [Hub] │ │ │ └─────┬─────┘ │ wg2 [Spoke2]# Hub configurationconfigure
# WireGuard to Spoke1set interfaces wireguard wg1 address 10.255.1.1/30set interfaces wireguard wg1 peer SPOKE1 ...
# WireGuard to Spoke2set interfaces wireguard wg2 address 10.255.2.1/30set interfaces wireguard wg2 peer SPOKE2 ...
# OSPF on both tunnelsset protocols ospf interface wg1 area 0set protocols ospf interface wg1 network point-to-pointset protocols ospf neighbor 10.255.1.2
set protocols ospf interface wg2 area 0set protocols ospf interface wg2 network point-to-pointset protocols ospf neighbor 10.255.2.2
commitFull Mesh with BGP
# Each site peers with all others via BGP# More configuration but better path selection
set protocols bgp neighbor 10.255.0.2 remote-as 65002set protocols bgp neighbor 10.255.0.3 remote-as 65003set protocols bgp neighbor 10.255.0.4 remote-as 65004Fast Failover
BFD Over Tunnels
configure
# BFD for fast tunnel failure detectionset protocols bfd peer 10.255.0.2 source address 10.255.0.1set protocols bfd peer 10.255.0.2 interval transmit 300set protocols bfd peer 10.255.0.2 interval receive 300set protocols bfd peer 10.255.0.2 interval multiplier 3
# Link BFD to OSPFset protocols ospf interface wg0 bfd
# Or link to BGPset protocols bgp neighbor 10.255.0.2 bfd
commitTunnel Keepalives
# WireGuard persistent keepaliveset interfaces wireguard wg0 peer PEER1 persistent-keepalive 25
# GRE keepalivesset interfaces tunnel tun0 parameters ip keepalive interval 10set interfaces tunnel tun0 parameters ip keepalive failure-count 3Troubleshooting
Routing Protocol Not Forming
# Check tunnel is upshow interfaces wireguardping 10.255.0.2
# Check routing protocolshow ip ospf neighborshow bgp summary
# Check firewall allows protocol traffic# OSPF: Protocol 89# BGP: TCP 179# BFD: UDP 3784/3785Routes Not Propagating
# Check route advertisementshow ip ospf databaseshow bgp ipv4 unicast
# Verify network statementsshow configuration commands | grep "protocols ospf area"show configuration commands | grep "protocols bgp"Asymmetric Routing
# Traffic goes out tunnel, returns via different path
# Ensure consistent costsset protocols ospf interface wg0 cost 100set protocols ospf interface wg1 cost 100
# Or use BGP with consistent metricsBest Practices
1. Use Point-to-Point Network Type
# For tunnel interfacesset protocols ospf interface wg0 network point-to-point
# Saves DR election overhead2. Enable BFD
# Fast failure detectionset protocols ospf interface wg0 bfd# Orset protocols bgp neighbor 10.255.0.2 bfd3. Set Appropriate Costs
# Higher cost for slower/less reliable tunnelsset protocols ospf interface wg0 cost 100 # Fast tunnelset protocols ospf interface wg1 cost 200 # Backup tunnel4. Consider MTU
# Ensure routing protocol packets fitset interfaces wireguard wg0 mtu 1420
# Or enable fragmentation on underlayThe Lesson
Routing over tunnels requires careful planning — but it’s worth it for resilient networks.
Benefits:
- Automatic failover on tunnel failure
- Dynamic path selection
- Consistent with non-tunnel routing
Challenges:
- Tunnel type affects protocol support
- MTU requires attention
- Convergence time adds to tunnel detection time
Key decisions:
- Protocol: OSPF (simple) or BGP (more control)
- Failover: BFD required for fast detection
- Topology: Hub-spoke vs full mesh
- Tunnel type: Affects multicast support
Done right, routing over tunnels gives you a resilient VPN mesh that handles failures automatically. Done wrong, you get mysterious routing issues and slow failover.
Plan it. Test it. Monitor it.