Show Posts
1
High availability / CARP and WireGuard
« on: December 15, 2021, 10:52:21 am »
Dear All,
I have "upgraded" my single opnsense box to 2 opnsense boxes. Before upgrading I had wireguard running as VPN solution. With my 2 new boxes which are running in CARP / HA Mode wireguard seems not to work although I have followed the documentation. I have read a bit and found out, that in ha mode wireguard does not work. Is there a way to get wireguard working even it does not work with ha?
For clarification I have the following configuration / rules / etc.
WAN Router -> Fritzbox 192.168.1.1
opnsense1 (WAN) -> 192.168.1.10
opnsense 2(WAN) -> 192.168.1.11
opnsense carp (WAN) -> 192.168.1.20
internet -> WAN Router (fritzbox) with Portforwarding to opnsense carp -> opnsense 1 +2 -> LAN / ...
Firewall Rule on WAN Interface:
Interface - WAN
Direction - in
TCP/IP Version - IPv4
Protocol - UDP
Source - any
destination - WAN Address ### is this right? should it be carp address?
destination port - WireGuard Server Port
Firewall outbound NAT
Interface - WAN
tCP / IP - IPv4
Protocol - any
source - WGUA Network ### this is the created interface for wireguard according to the documentatino
source port - any
destination - any
destination port - any
Translation - CARP IP WAN Interface
WireGuard on opnsense 2 (backup box) -> Disabled
Thanks for any hints!!!
cu em.tie
I have "upgraded" my single opnsense box to 2 opnsense boxes. Before upgrading I had wireguard running as VPN solution. With my 2 new boxes which are running in CARP / HA Mode wireguard seems not to work although I have followed the documentation. I have read a bit and found out, that in ha mode wireguard does not work. Is there a way to get wireguard working even it does not work with ha?
For clarification I have the following configuration / rules / etc.
WAN Router -> Fritzbox 192.168.1.1
opnsense1 (WAN) -> 192.168.1.10
opnsense 2(WAN) -> 192.168.1.11
opnsense carp (WAN) -> 192.168.1.20
internet -> WAN Router (fritzbox) with Portforwarding to opnsense carp -> opnsense 1 +2 -> LAN / ...
Firewall Rule on WAN Interface:
Interface - WAN
Direction - in
TCP/IP Version - IPv4
Protocol - UDP
Source - any
destination - WAN Address ### is this right? should it be carp address?
destination port - WireGuard Server Port
Firewall outbound NAT
Interface - WAN
tCP / IP - IPv4
Protocol - any
source - WGUA Network ### this is the created interface for wireguard according to the documentatino
source port - any
destination - any
destination port - any
Translation - CARP IP WAN Interface
WireGuard on opnsense 2 (backup box) -> Disabled
Thanks for any hints!!!
cu em.tie