vSwitch feature, Hetzner Online has created a tool for your dedicated root servers that lets you connect your servers in multiple locations to each other using virtual layer 2 networks. On your account on the Robot administration interface, you can create and configure vSwitches using the "vSwitches" button in the server overview.
vSwitch uses the uplink of your server. An additional NIC is therefore not necessary.
You can create a vSwitch on Robot by going to
Main functions ->
vSwitches. Then assign a name and a VLAN ID to your vSwitch. The VLAN ID can range from 4000 to 4091.
After you have created the vSwitch, you can then assign your dedicated root servers to the vSwitch using the
Add server button. Then the servers that you have added can communicate with each other using the VLAN ID that you have set.
The server's main IP address and the additional IP addresses +/or subnets can still be reached without doing VLAN tagging.
There is a limit of 32 MAC addresses per switch port.
You can assign up to 100 servers to a vSwitch.
You can assign up to 5 vSwitches to a server.
You can use any private IP addresses for free within the VLAN. Plus, you can order additional public subnets (IPv4 and IPv6) by going to the
IPs menu tab. You can use these subnets on all servers that you assign to your vSwitch.
Please see the price overview here.
Internal traffic (across locations) is free of charge. For the public subnets, vSwitches have an included traffic limit of 1TB per month. Each additional TB costs € 1.00 per month (excl. VAT). We at Hetzner only count outgoing traffic for this price; incoming and internal traffic is free.
Important note: The main NIC is used for vSwitch traffic. An additional NIC for the vSwitch function is not necessary.
The servers' firewall is also applied to the packets of the vSwitches. Important note: If you have activated a firewall, you must also enable internal IP addresses in the firewall.
For the vSwitch, you need to configure an interface with the VLAN ID that you have entered on Robot. You should limit the MTU of the interface to 1400.
Example configuration for the network card
enp0s31f6, with the VLAN ID 4000
Create a VLAN device
ip link add link enp0s31f6 name enp0s31f6.4000 type vlan id 4000 ip link set enp0s31f6.4000 mtu 1400 ip link set dev enp0s31f6.4000 up
Configure IP address
<192.168.100.1> from the private subnet
ip addr add 192.168.100.1/24 brd 192.168.100.255 dev enp0s31f6.4000
Public subnet You need to create an additional routing table for the public subnet so you can configure another default gateway.
Example configuration for IP
<188.8.131.52> from the public subnet
echo "1 vswitch" >> /etc/iproute2/rt_tables ip addr add 184.108.40.206/29 dev enp0s31f6.4000 ip rule add from 220.127.116.11 lookup vswitch ip rule add to 18.104.22.168 lookup vswitch ip route add default via 22.214.171.124 dev enp0s31f6.4000 table vswitch
enp0s31f6, VLAN 4000, private network
# /etc/network/interfaces auto enp0s31f6.4000 iface enp0s31f6.4000 inet static address 192.168.100.1 netmask 255.255.255.0 vlan-raw-device enp0s31f6 mtu 1400
<126.96.36.199> from public subnet
<188.8.131.52/29> and IPv6
<2001:db8:61:20e1::2> from public subnet
<2001:db8:61:20e1::/64> on the host system.
Create an additional routing table.
echo "1 vswitch" >> /etc/iproute2/rt_tables
# /etc/network/interfaces auto enp0s31f6.4000 iface enp0s31f6.4000 inet static address 192.168.100.1 netmask 255.255.255.0 vlan-raw-device enp0s31f6 mtu 1400 # ipv4 subnet up ip addr add 184.108.40.206/29 dev enp0s31f6.4000 up ip rule add from 220.127.116.11 lookup vswitch up ip rule add to 18.104.22.168 lookup vswitch up ip route add default via 22.214.171.124 dev enp0s31f6.4000 table vswitch down ip addr del 126.96.36.199/29 dev enp0s31f6.4000 down ip route del default via 188.8.131.52 dev enp0s31f6.4000 table vswitch down ip rule del to 184.108.40.206 lookup vswitch down ip rule del from 220.127.116.11 lookup vswitch # ipv6 subnet up ip -6 addr add 2001:db8:61:20e1::2/64 dev enp0s31f6.4000 up ip -6 rule add from 2001:db8:61:20e1::2 lookup vswitch up ip -6 rule add to 2001:db8:61:20e1::2 lookup vswitch up ip -6 route add default via 2001:db8:61:20e1::1 dev enp0s31f6.4000 table vswitch down ip -6 addr del 2001:db8:61:20e1::2/125 dev enp0s31f6.4000 down ip -6 route del default via 2001:db8:61:20e1::1 dev enp0s31f6.4000 table vswitch down ip -6 rule del to 2001:db8:61:20e1::2 lookup vswitch down ip -6 rule del from 2001:db8:61:20e1::2 lookup vswitch
enp0s31f6 (usually called eth0, enp6s0 or enp0s31f6), VLAN 4000, private network
Create two new files for
#/etc/systemd/network/10-enp0s31f6.4000.netdev [NetDev] Name=enp0s31f6.4000 Kind=vlan MTUBytes=1400 [VLAN] Id=4000
#/etc/systemd/network/10-enp0s31f6.4000.network [Match] Name=enp0s31f6.4000 [Network] Description="VLAN 4000" Address=192.168.100.2/24
Add the following line into file:
#/etc/systemd/network/10-enp0s31f6.network .... [Network] ... VLAN=enp0s31f6.4000
sudo systemctl restart systemd-networkd
Newer instances of installimage create netplan-based network configurations on Ubuntu 18.04. The
/etc/systemd/network/ directory will be empty. To set up the VLAN, you need to change the netplan file:
#/etc/netplan/01-netcfg.yaml ### Hetzner Online GmbH installimage network: version: 2 renderer: networkd ethernets: enp0s31f6: addresses: ... vlans: enp0s31f6.4000: id: 4000 link: enp0s31f6 mtu: 1400 addresses: - 192.168.100.2/24
After that, you need to execute the following commands. Then the network should be available:
sudo /lib/netplan/generate sudo systemctl restart systemd-networkd
There appears to be a glitch with netplan and the MTUs. (See https://askubuntu.com/questions/1191365/netplan-not-applying-correct-mtu-to-vlan). You need to set these manually using
sudo /sbin/ip link set mtu 1400 dev enp0s31f6.4000
If you want to persist this configuration across a reboot, it helps to make an entry in crontab (for example, in the one from root, so run sudo crontab -e):
@reboot sleep 10 && /sbin/ip link set mtu 1400 dev enp0s31f6.4000
You can also configure vSwitches via the API.