So today Amazon decided to be flaky with the VPN server I was using, so I decided to go in and add another peer to change the server.
While doing this I noticed that I can set up one WireGuard instance to link up to multiple peers. I had previously thought they had to be 1:1.
(https://forum.opnsense.org/index.php?action=dlattach;topic=39235.0;attach=33350;image)
So I guess my question is, what happens when I do this?
My gut instinct is to "test it and see what happens", but right now I keep getting the same peer showing up when I look at my exit point IP address, so I am not entirely sure what it is doing on the back end, if anything at all.
Does it load balance between them? Some sort of round robin arrangement? Or just pick one per boot and stick with it?
Appreciate any thoughts.
No, this is your local instance in OPN. Those peers are those allowed to connect to it, i.e. your mobile, your laptop, etc. Or user 1, user 2, etc.
No, but the peer tab is where you configure the remote WireGuard server you are accessing.
The "instance" appears to be the local portion of it all.
Instance
- Basically a specific WG GW, you can attach multiple peers (hosts to it)
- You can create multiple instances WG GW, and create for them different rules etc.
- Each instance has its own subnet
Peer
- Basically an EndPoint, this is where you configure the host you want to allow to connect to the specific WG, a Peer needs to have an IP from the Subnet of WG instance
Regards,
S.
Quote from: Seimus on March 05, 2024, 10:50:03 AM
Instance
- Basically a specific WG GW, you can attach multiple peers (hosts to it)
- You can create multiple instances WG GW, and create for them different rules etc.
- Each instance has its own subnet
Peer
- Basically an EndPoint, this is where you configure the host you want to allow to connect to the specific WG, a Peer needs to have an IP from the Subnet of WG instance
Regards,
S.
Yep, so how does an instance behave when you point it towards multiple peers as in my screenshot above?
I wonder if it is a way to get it to load share or round robin connections to the multiple peers.
In my test, I just added four of them, and my connections seemed to be going out to only the last of the four, for some clients, while others seemed to get no outward connectivity at all.
So I think I might have broken it :p
I disabled three of them and went back to a single peer, and everything is working normally again.
I guess the proper way to load balance over multiple peers would be to create a separate instance, interface and gateway for each of them and then load balance them as if they were traditional external gateways?
I was just experimenting and hoping this might be a shortcut :p
What you describe would be my expectation,
By nature I don't think WG is doing any load-balancing at all. If I would do a multi-tunnel site to-site I would try to achieve laodbalancing using routing or VXLAN.
Never tried this as for now I dont have the requirement for it.
Regards,
S.
Peers cannot have overlapping allowed IPs - so if everything is configured correctly it will bring up all peers and route the matching networks to each.
Ahh, That makes sense.
Thank you.
--Matt