OPNsense Forum

Dear all,
I'd like to ask for High Availability Support for my WireGuard Configuration.
Could this be possible?
For openvpn it's available,
best Regards,
Dan

This is a limitation of WireGuard itself since it cannot bind to a virtual IP, sorry

Okay,

Perhaps we could bring up a workaround for this?

WireGuard is bind to the default Gateway which is a Virtual IP.
Only the Master use this Virtual IP, I read a lot about this configuration and I know that in this configuration the second OPNsense has no Internet Access, but it's a failover. 
Pretty good would be here at this point to have the same configuration on second node which would make this work.
When I manually copy the same Wireguard configuration to the Failover OPNsense it's working.

For the Default Gateway we're using the IP's 10.10.20.1 and 10.10.20.2 as interface IP and the Virtual IP point to these interface.
This is 'caused some customer do not have multiple public ip's.

Some Ideas?

You cant decide if WireGuard sends packets from main IP or virtual IP, how would you build a stable connection?

The external iP is in use by the master FW.
If I have same configuration on the second FW the second FW can't reach packages till the second will hold the external IP from master FW.
Perhaps we misunderstand the handling here.

How I said manually it's working.
I'm using same configuration on second FW, when I kick down yet the first FW I'm able to reconnect with Wireguard 'cause the external virtual IP will switch to the second FW.

Which complications could be there I do not know.
At our configuration only the FW which hold the virtual external IP has internet access. So if the second FW will hold this IP when the first FW will be down it's working.


I can also post here sample configurations of my firewalls,
best Regards

Ok, let's do an example:

FW-1, WAN IP: 81.81.81.10
FW-2, WAN IP: 81.81.81.11
Failover IP: 81.81.81.12

On your clients you would set 81.81.81.12 as the endpoint. But as Wireguard is stateless, it could also send it's replies from 81.81.81.11 (when FW-2 is master) and then your tunnel would break.

The sending IP depends on how the operating system handles the priorities. In your test it works because the IPs are counted as above, but world is different. I'm quite sure you'r setup will fail when you set:

FW1: 81.81.81.10
FW2: 81.81.81.12
Failover IP: 81.81.81.11

With this combe one setup will break.

For sure I can add it, but the behavior is unpredictable and will add countless forum posts where I have to explain the same thing on and on again. So it's better to post to the wireguard mailing list to add such a feature which would make it way more stable.

Okay, I'll tell you our right configuration here which is in use.

Master FW has this Interfaces with these Virtual IP's
Internet@1      MASTER   83.236.198.22        | Interface-IP     10.1.0.1
Guests@2              MASTER   10.10.10.1             | Interface-IP     10.10.11.251
Intra@3              MASTER   10.10.50.1              | Interface-IP     10.10.51.251
Residents@4      MASTER   10.10.20.1              | Interface-IP     10.10.21.251
DMZ@5              MASTER   87.193.237.249       | Interface-IP    10.14.14.1


Second FW

Internet@1      BACKUP   83.236.198.22        | Interface-IP      10.1.0.2
Guests@2              BACKUP   10.10.10.1              | Interface-IP      10.10.11.252
Intra@3              BACKUP   10.10.50.1              | Interface-IP      10.10.51.252
Residents@4      BACKUP   10.10.20.1              | Interface-IP      10.10.21.252
DMZ@5              BACKUP   87.193.237.249       | Interface-IP      10.14.14.2


Default Gateway  : 83.236.198.21 /30


This is our configuration on our firewalls.

I think I know what you mean and the world is different.
So this will how you said not work with other configurations.

So I let it open if this would be integrated or not.
Our problem here is often the internet provider, each one has other configurations.
And our external subnet range is /30

best Regards

Quote from: mimugmail on March 23, 2020, 09:31:21 AM
So it's better to post to the wireguard mailing list to add such a feature which would make it way more stable.

The more people are asking on WireGuard site, the more chances we have to get this in.
I already did it a while ago ...

Would it not be as simple as have identical setups on both machines (xml synced) and then hook into the carp failover event and enable / disable wireguard? Both machine are able to detect whether there are the primary or not. So where the machine is the primary wireguard gets started. When its not primary, wireguard gets disabled. Would that be possible without having to hack the wireguard code but from a opnsense perspective?

No, because in the endpoint you need to set an IP .. this can only be IP A, IP B or Floating IP