Skip to content

Extend On-Prem Into Hetzner Site-A (HyOps Blueprint)

Purpose: Attach the on-prem VyOS edge to the existing Hetzner Site-A pair through a dual-tunnel site-extension layer.
Owner: Network/platform engineering
Trigger: On-prem route extension, site-extension rebuild, or route-export activation after edge bring-up
Impact: Adds the on-prem edge into the routed WAN domain and makes approved site prefixes available for upstream export
Severity: P2
Pre-reqs: networking/edge-control-plane@v1 is healthy, networking/onprem-vyos-edge@v1 or equivalent state already provides the on-prem VyOS VM, runtime secrets exist, and the Hetzner firewall allowlist includes the on-prem peer endpoint.
Rollback strategy: Destroy the site-extension states or reapply with corrected identities and prefixes before re-enabling route export.

Purpose

Attach the on-prem VyOS edge to the existing Hetzner Site-A edge pair using a dual-tunnel site-extension layer.

This keeps:

  • Hetzner as the fixed public face toward GCP
  • the on-prem site behind that static transit layer
  • Site-A ASN 65010 intact end to end

Scope

Blueprint ref: networking/onprem-site-extension@v1

This blueprint assumes:

  • networking/edge-control-plane@v1 is already healthy
  • networking/onprem-vyos-edge@v1 (or equivalent module state) already provides the on-prem VyOS VM
  • the Hetzner edge foundation firewall allowlist includes the on-prem peer in ipsec_source_cidrs

Prepare the env-scoped overlay

hyops blueprint init --env dev \
  --ref networking/onprem-site-extension@v1 \
  --dest-name onprem-site-extension.yml

Edit:

  • site_extension_edge.inputs.onprem_peer_remote_address
  • site_extension_edge.inputs.onprem_peer_id
  • site_extension_onprem.inputs.onprem_local_id
  • site_extension_onprem.inputs.public_peer_route_next_hop when the on-prem VyOS WAN uplink is not also the default route
  • advertise_prefixes / import_allow_prefixes
  • static_route_prefixes and internal_route_next_hop if you need to originate non-connected internal prefixes from the on-prem edge
  • org/hetzner/vyos-edge-foundation ipsec_source_cidrs so the on-prem peer endpoint is allowed through the Hetzner edge firewall

Use the same stable on-prem identity value in:

  • site_extension_edge.inputs.onprem_peer_id
  • site_extension_onprem.inputs.onprem_local_id

For dynamic on-prem public IPs, prefer a DNS name/FQDN for the peer endpoint and identity.

Secrets

Ensure these exist in the env runtime vault:

hyops secrets ensure --env dev SITE_EXTENSION_IPSEC_PSK
hyops secrets ensure --env dev WAN_EDGE_SSH_PRIVATE_KEY
hyops secrets set --env dev \
  --from-file ONPREM_EDGE_SSH_PRIVATE_KEY=~/.ssh/id_ed25519

Local preflight

hyops blueprint preflight --env dev \
  --file "$HOME/.hybridops/envs/dev/config/blueprints/onprem-site-extension.yml"

Deploy

hyops blueprint deploy --env dev \
  --file "$HOME/.hybridops/envs/dev/config/blueprints/onprem-site-extension.yml" \
  --execute --yes

Verify

Hetzner edge responders:

ssh opsadmin@10.80.0.20 \
  'ssh -i ~/.ssh/id_ed25519 vyos@10.80.0.11 "show configuration commands | match onprem"'

On-prem initiator:

ssh -i ~/.ssh/id_ed25519 vyos@10.10.0.20 \
  'show configuration commands | match "edge-a\\|edge-b\\|169.254.30."'

State:

jq '.status, .outputs' \
  "$HOME/.hybridops/envs/dev/state/modules/platform__network__vyos-site-extension-onprem/latest.json"

Expected:

  • Hetzner edge state is ok
  • on-prem site-extension state is ok
  • both sides show peer and inside-neighbor markers for the 169.254.30.x/30 links
  • on VyOS, VTI interfaces may show UNKNOWN in ip -brief; that is acceptable when IKE and BGP are established

Troubleshooting

  • inputs.onprem_peer_remote_address must be a valid IPv4 address or hostname/FQDN: provide a real on-prem public endpoint value in the env blueprint overlay.
  • inputs.static_route_prefixes contains ... but it is not present in inputs.advertise_prefixes: keep static route injection limited to prefixes you actually originate into BGP.
  • on-prem side config applies but no internal routes are originated: confirm internal_route_next_hop points to the on-prem core/router that knows the advertised internal prefixes.
  • on-prem side config applies but the VTIs stay down or BGP stays in Connect: confirm the Hetzner public peers resolve out the intended WAN uplink on the on-prem VyOS. If they do not, set site_extension_onprem.inputs.public_peer_route_next_hop to the WAN gateway for onprem_bind_interface.
  • on-prem side retransmits IKE forever and the Hetzner responder never answers: confirm org/hetzner/vyos-edge-foundation currently allows the on-prem public endpoint in ipsec_source_cidrs.