Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: zemsten on January 11, 2022, 10:49:19 PM

Title: Wireguard connections bound to specific WAN interface
Post by: zemsten on January 11, 2022, 10:49:19 PM
I'm having a bit of trouble setting up two wireguard client connections, with two different WAN interfaces.

I have WAN1 and WAN2, two independent connections to the internet. WAN2 generally has higher bandwidth and is the preferred connection in my gateway group for WAN_FAILOVER.

I have two wireguard clients configured. WG_WAN1 and WG_WAN2. These connect to two separate endpoints. I want WG_WAN1 to only connect via WAN1 and WG_WAN2 to only connect via WAN2. So far I've achieved this by adding static routes to their endpoint IPs, defining which interface I want to route the traffic on.

Now normally this works great and everything functions as expected. The trouble I run into is when WAN2 goes down for any appreciable time and things failover to WAN1. Initially I see WG_WAN2 go down as expected, but if WAN2 stays down for a while, eventually WG_WAN2 will come back up, routed through WAN1. This is the part that I do not want to happen.

I do have default gateway switching turned on in the firewall, as I want traffic originated from it to handle a single WAN failure (for DNS). Everything else is policy routed through my gateway groups and works great. I believe that a static route should have precedence over discovered routes, but I may be wrong there.

I should also add that I'm running these wireguard clients with their own assigned interfaces, if that wasn't obvious from context.

Am i missing a crucial element in how to bind a WG client to a particular WAN interface in a failover setup?

Title: Re: Wireguard connections bound to specific WAN interface
Post by: mimugmail on January 13, 2022, 06:48:50 AM
Can you install the kmod pkg? Usually wireguard take routing table to send packets and not Pf. Maybe kmod helps here
Title: Re: Wireguard connections bound to specific WAN interface
Post by: zemsten on January 13, 2022, 03:20:40 PM
Sorry, I definitely should have mentioned that in my initial post as well. I am using the kmod implementation. That slipped my mind as I've been using it basically the entire time I've been using wireguard.  8)
Title: Re: Wireguard connections bound to specific WAN interface
Post by: mimugmail on January 13, 2022, 07:17:47 PM
Can you try floating rules, source WAN address, source port wg, Gateway WAN, outbound direction. Same for WAN2. I think the validation was removed some time ago
Title: Re: Wireguard connections bound to specific WAN interface
Post by: zemsten on January 16, 2022, 07:39:44 PM
This is a novel idea! I just got it setup and it hasn't broken anything, so I'll rock it for a while and see what happens. Thanks much, I appreciate all you do around here!
Title: Re: Wireguard connections bound to specific WAN interface
Post by: mimugmail on January 16, 2022, 08:04:08 PM
Pew pew  8)
Text only | Text with Images