Manual Layer2 Network by OVS and IPSEC

Create and OVS Brdig as you wish, for instance by netplan or nmcli ! 

nmcli con add type ovs-port    con-name ovs-port-br0     ifname br0     ovs-port.controller br0     ovs-port.port-type ovs-bridge

nmcli con add type ovs-interface     con-name ovs-if-br0     ifname br0     ovs-interface.controller ovs-port-br0     ovs-interface.type internal     ipv4.method manual     ipv4.addresses 172.16.16.11/24     ipv6.method auto     ipv6.addr-gen-mode default

Set STP Protocol on RSTP on Bridge for loopprevention

ovs-vsctl set Bridge br0 rstp_enable=true

add any desired endpoint for VXLAN tunneling , for example

ovs-vsctl add-port br0 vxlan01 -- set interface vxlan01 type=vxlan options:remote_ip=IP_ADDRESS options:key=2025 options:dst_port=4789

in upper command 2025 is VXLAN VNI and 4789 is UDP Port for VXLAN Protocol

run upper command on the other endpoint to make the circuit complate

For better security , specially on public network, surly use IPSEC for tunnel encryption

On Debian Dist install :
apt-get install openvswitch-ipsec
OR in RedHat base:
dnf install python3-openvswitch libreswan \

              openvswitch openvswitch-ipsec

now you can create any tunnel over IPSEC like GRE or VXLAN ;

By VXLAN

ovs-vsctl add-port br0 vxlan210 -- set interface vxlan210 type=vxlan \

options:remote_ip=SRC_OR_DST_IP \

options:psk=MY_STRON_PSK \

options:key=2025 \

options:dst_port=4789

By Geneve

ovs-vsctl add-port br0 geneve174 -- set interface geneve174 type=geneve options:remote_i

p=SRC_OR_DST_IP options:psk=MY_STRON_PSK

be notive that, geneve tunnel no need to vni id