1
Virtual private networks / Wireguard connections bound to specific WAN interface
« on: January 11, 2022, 10:49:19 pm »
I'm having a bit of trouble setting up two wireguard client connections, with two different WAN interfaces.
I have WAN1 and WAN2, two independent connections to the internet. WAN2 generally has higher bandwidth and is the preferred connection in my gateway group for WAN_FAILOVER.
I have two wireguard clients configured. WG_WAN1 and WG_WAN2. These connect to two separate endpoints. I want WG_WAN1 to only connect via WAN1 and WG_WAN2 to only connect via WAN2. So far I've achieved this by adding static routes to their endpoint IPs, defining which interface I want to route the traffic on.
Now normally this works great and everything functions as expected. The trouble I run into is when WAN2 goes down for any appreciable time and things failover to WAN1. Initially I see WG_WAN2 go down as expected, but if WAN2 stays down for a while, eventually WG_WAN2 will come back up, routed through WAN1. This is the part that I do not want to happen.
I do have default gateway switching turned on in the firewall, as I want traffic originated from it to handle a single WAN failure (for DNS). Everything else is policy routed through my gateway groups and works great. I believe that a static route should have precedence over discovered routes, but I may be wrong there.
I should also add that I'm running these wireguard clients with their own assigned interfaces, if that wasn't obvious from context.
Am i missing a crucial element in how to bind a WG client to a particular WAN interface in a failover setup?
I have WAN1 and WAN2, two independent connections to the internet. WAN2 generally has higher bandwidth and is the preferred connection in my gateway group for WAN_FAILOVER.
I have two wireguard clients configured. WG_WAN1 and WG_WAN2. These connect to two separate endpoints. I want WG_WAN1 to only connect via WAN1 and WG_WAN2 to only connect via WAN2. So far I've achieved this by adding static routes to their endpoint IPs, defining which interface I want to route the traffic on.
Now normally this works great and everything functions as expected. The trouble I run into is when WAN2 goes down for any appreciable time and things failover to WAN1. Initially I see WG_WAN2 go down as expected, but if WAN2 stays down for a while, eventually WG_WAN2 will come back up, routed through WAN1. This is the part that I do not want to happen.
I do have default gateway switching turned on in the firewall, as I want traffic originated from it to handle a single WAN failure (for DNS). Everything else is policy routed through my gateway groups and works great. I believe that a static route should have precedence over discovered routes, but I may be wrong there.
I should also add that I'm running these wireguard clients with their own assigned interfaces, if that wasn't obvious from context.
Am i missing a crucial element in how to bind a WG client to a particular WAN interface in a failover setup?