How should an HA pair handle WireGuard?

Started by whit, September 19, 2019, 04:33:06 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 19, 2019, 04:33:06 PM
Is there a way to tie WireGuard to CARP takeover? Obviously I can't just have it already running on both systems, with the same remote connections. On the DR system, once running it should connect to the remote systems at their IPs even if it's not coming from the expected IP on the OPNsense end; that's a feature of WireGuard. I'm guessing this will take scripting tie it to CARP, so that it only starts when CARP triggers it. If so, where should that be tied in?

Apologies if this is documented somewhere I haven't found yet. Thanks for any pointers.

Whit
September 19, 2019, 04:34:31 PM #1
No, doesn't work, it's a limitiation of Wireguard itself (UDP, no IP interface binding)
September 19, 2019, 08:20:21 PM #2
What I'm asking then is a way to script for CARP to turn WireGuard off and on in coordination with IP takeover when the master system is down. I know this is doable. (It's simple enough using UCARP on Linux.) I just don't know my way around how OPNsense uses CARP here.

Yes, this goes beyond the pretty menus. But it's where I need to be.
September 19, 2019, 09:01:09 PM #3
The problem is you can't set a sending source IP. Packets are not sent via CARP IP.
This is a limitation of Wireguard itself.
September 19, 2019, 09:48:55 PM #4
You're not understanding what I'm saying. It's not about IP. It's about integrating a line to start or stop WireGuard into the scripts which run when CARP orchestrates an IP takeover. I don't care about the IPs. I care about whether the system thinks it's the master or the standby. When CARP tells the standby to take over as master, the trick is to have it also start WireGuard, with /usr/local/etc/rc.d/wireguard start. And when it surrenders that, to stop WireGuard similarly.

That there's also IP takeover in this case is coincident, but the state of the virtual IPs is logically independent of this, beyond the coincident use of the same mechanism to trigger both those and WireGuard.

Whit
September 19, 2019, 11:02:38 PM #5
I see in /usr/local/etc/rc.syshook.d/carp the file 20-openvpn with references to MASTER and BACKUP. My guess is this is part of a mechanism which can be extended to start and stop WireGuard according to whether the firewall is in MASTER or BACKUP status.

Is OPNsense using CARP in a standard BSD way here, or are the files controlling it somewhat different in arrangement? That is, can I depend on the BSD docs for guidance on this?

Thanks,
Whit
September 20, 2019, 05:35:29 AM #6
Just setup site2site with HA, initiate a failover, Stop on unit1 manually, start on unit2 manually and see what happens
October 29, 2019, 06:57:42 PM #7
I'm also looking into this.
My naive approach would have been to run wireguard with identical configuration and then utilize a port forward from the CARP address to localhost.
Would this not work?
October 29, 2019, 08:03:54 PM #8
WireGuard will sent it's packets via main IP, so, no :(
November 02, 2019, 06:47:16 PM #9
I didn't even need a redirect, I just created an alias IP on the WAN interface and Wireguard is receiving traffic.
However - as indicated - the return traffic comes from the main interface IP rather than the alias, obviously breaking the tunnel.

Is this a WG or BSD bug? Usually I'd expect a host to reply with the very same address it was contacted on. There is no NAT in my scenario, just two IPs on an interface.
November 02, 2019, 08:43:48 PM #10
This would need a feature request via WireGuard, BSD should handle this fine
Print
Go Up Pages1
User actions