Seeking advice from community to learn about this setup:
- OPNsense 25.7.7_4-amd64
- working Multi-WAN setup with Gateway Group failover WAN1 -> WAN2
- WAN2 has CGNAT
WAN1[DSL]
\
--OPNSense---Lan---WG-Roadwarrior
/
WAN2[SAT]
Yesterday WAN1 went down. Seemingly all connections have been successfully moved over to WAN2 incl. established connections (as expected <3)
except my one client with a wireguard road warrior setup. The wg0 on this machine showed 100% packet loss.
Config on the VPN Server on the internet has no endpoint config for the road warrior,
config on the road warrior has endpoint VPN Server IP address configured as endpoint. So the lan client road warrior should establish the connection to VPN Server... even - or especially when - the default gateway on OPNSense has been switched.
I had the impression that this config would make wg on the road warrior to re-establish the connection over the new default gateway.
Why is it not happening even over wireguard service restarts? OPNSense is the default gateway in the LAN, the physical gateway has been switched correctly, Default Gateway Switching is enabled, all connections worked, but wireguard.
Any hints? What am I missing?
Seeking your wisdom,
highly appreciated.
Wireguard is a stateless protocol. Once peers have handshaked, they will happily use that socket forever, until one side sends a handshake from a new socket.
But, a peer might be behind a firewall that does not allow receiving this new handshake (the state is open for the old socket only), so the peer never updates and continues to send all packets to the last known socket.
If you want failover you need a stateful protocol like OpenVPN that notices if the control channel gets interrupted and re-establishes automatically.
Wireguard is only self healing if both peers can always talk directly to the other peers socket.