Messages

Hi,

I guess it was because I set up the interfaces AFTER setting up the HA and wireguard config.
I have another cluster where Wireguard works perfectly through an HA failure.

Hi,

I am running two OPNsense VMs (24.1.2_1) in HA on a vCenter cluster. I am using them mainly as a Wireguard server hanging off of a firewall, with a single virtual NIC per node and outbound NAT disabled. CARP and the HA sync seem to work perfectly after enabling Net.ReversePathFwdCheckPromisc on the ESXi hosts.

The one problem I have is that I currently only have a WG1 interface for Wireguard on Node1, but not yet on Node2, meaning that Wireguard doesn't fail over properly when the CARP master changes.

When I add the WG1 interface to Node2 under Assignments (with the same name and configuration) and trigger a config sync from Node1, the sync never completes and the "System -> High Availability -> Status" page fails to load completely afterwards. Simply rebooting the nodes or removing the WG1 interface from Node2 doesn't fix the problem, the only way I could find to repair the HA cluster was to restore a backup on Node2, then trigger a sync from Node1.

The Wireguard config itself is correctly synced before adding the interface and is set to depend on the CARP VIP.

Did I set something up in the wrong order? Or is there a mistake in my thinking?

Thanks in advance :)