Ask HN: Vxlan over WireGuard or WireGuard over Vxlan?

The original poster kicked off a classic nerd brawl by insisting WireGuard—a secure tunnel that connects networks across untrusted spaces—should always be the outer wrapper, with VXLAN—basically a way to stretch a local network across distance—stuffed inside. They waved off Tailscale (a friendly plug‑and‑play VPN) as “cool but not always needed,” then tossed in a spicy twist: NFS (file sharing) is painful, Kerberos (the security add‑on) is worse, so why not give every NFS client its own WireGuard tunnel? Cue the comment section lighting up. pjd7 asked for receipts, wmf demanded: “What problem is being solved here?”, and DiabloD3 dropped Big Tech lore: this layered “tunnel cake” is how Google routes internally, to keep any one layer from knowing too much.

Security hawks pointed to OpenBSD’s docs, saying VXLAN is for trusted zones, so putting it inside WireGuard tracks. Pragmatists like mbreese side‑eyed the whole thing: why are we even linking private networks across the public internet? Meanwhile, the NFS plan became a meme: “wrap everything in a WireGuard burrito” with “Kerberos really sucks” sprinkled on top. The room split between defense‑in‑depth true believers and “don’t build network lasagna” minimalists. It’s spicy, it’s nerdy, and it’s somehow about tunnels arguing with tunnels.