How can i setup the wireguard vpn (HOST) to be connected to the (Virtual Machine) im on device wlp2s0 (Wireless) i did hear that you cant use the brctl commands to bridge the wireguard interface to the bridge br0 i also tried the brctl commands it didnt work
is there any way to connect my wireguard vpn (Host) to the (Virtual Machine) in a secure way
Welcome @Yserydmin,
here is a minimalistic configuration without brctl. The client is the host that connects to the server, e.g. if it is behind NAT. Open a terminal/console on the client and one on the server.
If not already done, install the wireguard packge (with apt, yum etc) on both hosts.
Then:
# on server
$ mkdir -p /etc/wireguard && cd /etc/wireguard
$ wg genkey | tee server_priv.key | wg pubkey > server_pub.key
# on client
$ mkdir -p /etc/wireguard && cd /etc/wireguard
$ wg genkey | tee client_priv.key | wg pubkey > client_pub.key
# on server
$ edit tun_client.conf
[Interface]
# should be an high port
ListenPort = 10042
# tunnel transfer ip, should be a 10.x.x.x/30 ip
Address = 10.0.0.1/30
PrivateKey = content_of_server_priv.key
[Peer]
# add comma seperated ips/nets that have to be reachable on the *client* side
AllowedIPs = 10.0.0.0/30
PublicKey = content_of_client_pub.key
# on client
$ edit tun_server.conf
[Interface]
# see above
ListenPort = 10042
# tunnel transfer ip, should be a 10.x.x.x/30 ip
Address = 10.0.0.2/30
PrivateKey = content_of_client_priv.key
[Peer]
# port as above
Endpoint = server_name_or_ip:10042
# add comma seperated ips/nets that have to be reachable on the *server* side
AllowedIPs = 10.0.0.0/30
PublicKey = content_of_server_pub.key
# on both hosts
$ systemctl restart wireguard
The contents of the key files look like 0HPI+le+X882/47C0v+r8E66Ta3ZPe2Wh2lU9FkeaEo=, i.e. a base64 encoded 32 byte value.
After service restart you should see 2 new interfaces (using ip a or ifconfig), tun_client on the server and vice versa, holding the transfer ips 10.0.0.1/30 resp. 10.0.0.2/30. Try to ping the remote side and/or nets from each host:
# on server
$ ping 10.0.0.2
# on client
$ ping 10.0.0.1
Of course you can choose other names for the configs (and/or keys), the interfaces are given the same name as the configs (without .conf).
Note that the chosen port 10042/udp may need to be allowed incoming on one or both hosts and/or forwarding on a possible firewall resp. NAT gateway in between. And possibly incoming and/or forwarding for the configured ips/nets.
I wonder what is the end result wanted, what do you want to secure with VPN ?
You wish to make VPN tunnel between HOST(hypervisor) and GUEST on that HOST in same VLAN segment ?
That would be a strange desire, since in that case the communication between GUEST <> HOST never leaves the HOST, so dunno what are we securing here 
In any case, securing should be done on GUEST (VM) side exclusivity if your end result is talking from GUEST to outside world (other wireguard configured hosts in your network or the internet)
Of course, in a case where HOST is in different VLAN then GUEST such communication could be desired (as packets would be routed over GW in most cases outside of HOST/GUEST).
What hypervisor are we talking about here ?
If Linux is used with kvm/qemu/libvirt, there are many ways to achieve that end goal, one of them being mentioned linux bridges (default network provider in libvirt).
Regards.
Peasant.