After crashing my head for several days ;D I managed to get wireguard working, and now I'd like to add a second tunnel for failover: is there a guide for dummies I can follow?
Tia.
Depends. Tunnel for Internet access, site-to-site or road warriors?
Just Internet access
If both tunnels use the same local config (private key and tunnel addresses), you just have to add a second endpoint. Only enable one endpoint at any given time.
Otherwise, you'll have to duplicate everything. Local config, endpoint, interface assignment, gateway etc.
Cheers
Maurice
I've configured the second endpoint, local, gateway, interface and only I need is to configure wireguard in a way that when the wg1 connection is down, wg2 takes over...
Enable both wg instances and endpoints, create a gateway group and use this group in your pbr firewall rules.
Now, for the life of me I can't understand why the second tunnel gateway is offline although if I go in wireguard -> diagnostics I see there is handshake... >:(
I've found out that in the gateway section, when I change the monitor IP address the tunnel shows offline: if I use 10.2.0.1 the tunnel shows online but anything else like 10.2.0.x takes the tunnel offline - 10.2.0.1 is the DNS IP address provided by ProtonVPN.
Any suggestions?
Make sure not to use the same monitor IP for both. Ping distinct public addresses instead, like 1.1.1.1 and 1.0.0.1. Using unique gateway IP addresses might be required, too (they're arbitrary anyway). Last, you can remove the /28 from the tunnel addresses to avoid having two interfaces with the same subnet (might not be strictly required though).
Great, thanks, it seems the gateway group is working.
I was watching the gateway stats for a few minutes for both tunnels, and noticed they fluctuate a lot, i.e. from online they go to packet loss then back to online: should I be concerned or it's normal? I've set the tunnel MTU for both at 1412, does it matter at all?
Also, do I have to use any rules at all in Firewall -> WireGuard (Group)?
In Firewall -> NAT -> Outbound, I've created just one rule for the interface WireGuard (Group), but I don't know if that's the correct setting or I have to create two separate Outbound rules, one for wg1 and one for wg2 ?
Packet loss is not normal, no. Did this start after adding the second wg interface? No packet loss before? You could try different monitor IPs.
No, you don't need any firewall rules since this is essentially a WAN interface. Everything outbound is allowed and anything inbound is blocked by default.
For the monitor IPs, I'm using Proton servers IP addresses (I believe it makes no difference from the Cloudflare or Google ones).
Another thing I noticed in the log is that pings from those servers towards the two locals are blocked, can this be an issue?
Are 146.70.83.66 / 146.70.96.66 your monitor IPs? But these are also the endpoint IPs, right? That won't work.
Ah okay, I can use Cloudflare or Quad 9 then, but exactly what won't work? Thanks
And I noticed that with one tunnel the connection is pretty stable but with two tunnels the devices lose Internet time by time :-\
The monitor IP must be routed through the tunnel, the endpoint IP mustn't. The tunnel can't be routed through itself.
I see... it's a shame I can't make two tunnels working: with one, it's all good, with two, I see packet loss often and devices disconnect every now and then...
Quote from: Maurice on September 09, 2023, 05:32:38 PM
The monitor IP must be routed through the tunnel, the endpoint IP mustn't. The tunnel can't be routed through itself.
According to the OPNsense guide, as for the IP monitor -> "Insert the endpoint VPN tunnel IP (NOT the public IP) of your VPN provider - see note below" BUT for me it doesn't work, the tunnel shows offline, even if leave it blank, why ??
And if I use 10.2.01 (DNS address) immediately gateway shows online !
And, do I have to set the DNS for each gateway as per this guide: https://docs.opnsense.org/manual/how-tos/multiwan.html
Who is your VPN Provider? If both tunnels use the same ip config, which I see often with WG, you can not have more than one tunnel to that provider.
Quote from: Bob.Dig on September 09, 2023, 08:15:13 PM
Who is your VPN Provider? If both tunnels use the same ip config, which I see often with WG, you can not have more than one tunnel to that provider.
ProtonVPN
As far as I know, they do it like that, all tunnels use the same IP and gateway.
The gateway IP address is meaningless. WireGuard creates a point-to-point link. You throw packets in the tunnel and they show up at the other end. There's no ARP or NDP involved. The only reason you need to specify a gateway IP is that OPNsense requires one for some features. (You can create "gateways" without an IP address by enabling "Dynamic gateway policy" in the interface settings, but this has its limitations when it comes to monitoring, default route creation, failover groups etc.)
Quote from: Maurice on September 09, 2023, 12:44:13 AM
Make sure not to use the same monitor IP for both. Ping distinct public addresses instead, like 1.1.1.1 and 1.0.0.1. Using unique gateway IP addresses might be required, too (they're arbitrary anyway). Last, you can remove the /28 from the tunnel addresses to avoid having two interfaces with the same subnet (might not be strictly required though).
Have you tried all of this?
Quote from: Maurice on September 10, 2023, 06:00:18 PM
Have you tried all of this?
Yep, and with 1 tunnel it works flawlessly, most likely ProtonVPN 'mess up' things with more than 1 connection.
I will try Mullvad with two tunnels and see how it goes.
Quote from: Maurice on September 10, 2023, 06:00:18 PM
Have you tried all of this?
You are not free to chose the config you like, you have to use the ip and subnet the Privacy-VPN-Provider gives you. And if they are the same for every tunnel then you can only have one. If you try to trick it, the tunnel will show problems like described here.
You need Virtual routing and forwarding (VRF) to get around this.
You have to use the tunnel address provided by the VPN provider, correct. But the prefix length and gateway address don't matter. These are only used locally by OPNsense.
Quote from: Maurice on September 10, 2023, 07:00:08 PM
You have to use the tunnel address provided by the VPN provider, correct. But the prefix length and gateway address don't matter. These are only used locally by OPNsense.
Even if, the tunnel address you can not have twice, it will not work. Also the ip-address is the gateway address if I remember correct, there is no way around this on *Sense at one point or another.
Okay, I've tried this real quick (using one of those dubious "free VPN" providers).
It works just fine. No packet loss. Gateway monitoring works. Failover works. I just don't see the issue.
config.xml is attached. Feel free to throw it on a VM and have a look. Easier than lengthy explanations.
Cheers
Maurice
For me, this provider already generates different addresses per tunnel by itself, so it is not comparable. Fact is, twice the same address does not work with *Sense and there are unfortunately enough providers who do it just so.
The screenshots clearly show two different tunnel addresses (10.2.0.5 and 10.2.0.7). Yes, we've established by now that identical tunnel addresses might make this more complicated (not impossible). But there is nothing in this entire thread indicating identical tunnel addresses.
Yes, I did try with those two different IP addresses for the tunnels, but then I reverted back to 10.2.0.2/32 for the single tunnel configuration and that's when the connection became stable and no packet loss.
Looking at the Proton portal, all the config files for different servers I've inspected had one thing in common, i.e. the address 10.2.0.2/32 and DNS
[Interface]
# Bouncing = 10
# NetShield = 2
# Moderate NAT = off
# NAT-PMP (Port Forwarding) = off
# VPN Accelerator = on
PrivateKey = ******
Address = 10.2.0.3/32
DNS = 10.2.0.1
[Peer]
# UK#53
PublicKey = ******
AllowedIPs = 0.0.0.0/0
Endpoint = 146.70.83.66:51820
So, indeed, I did use those two addresses arbitrarily :P
Quote from: hushcoden on September 10, 2023, 11:52:57 PM
So, indeed, I did use those two addresses arbitrarily :P
It would have saved us all a lot of time if you had said that. How are random tunnel addresses supposed to work? And how did you come up with /28? 🙄
Never mind. Trying to help is impossible this way. I'm out.
The /28 comes from here: https://gist.github.com/morningreis/eeda36e8bb07dcb750d77e9a744776e8
I read a few online articles and tried to understand something, please don't be mad at me...
And thank you both for the support, I've learnt a lot!
Quote from: hushcoden on September 11, 2023, 12:15:44 AM
https://gist.github.com/morningreis/eeda36e8bb07dcb750d77e9a744776e8
Had a quick look and I'm sorry to say so, but this is full of errors and half-truths. Don't use that as a reference.
It is very odd that most of the big privacy-vpn-providers use the same ip on all their wireguard tunnels. I "worked around" that by creating VMs for every tunnel.
With MikroTik's RouterOS you could just use VRF for that.