Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
Wireguard multiWAN with HA site to site - Wireguard needs to follow CARP
« previous
next »
Print
Pages: [
1
]
Author
Topic: Wireguard multiWAN with HA site to site - Wireguard needs to follow CARP (Read 2681 times)
nzkiwi68
Full Member
Posts: 182
Karma: 20
Wireguard multiWAN with HA site to site - Wireguard needs to follow CARP
«
on:
September 08, 2021, 12:32:26 am »
All that is needed to get it going properly, is have WireGuard (WG) follow the CARP master and STOP on the backup firewall and only start if it is the CARP master.
I don't care that WG doesn't send packets out the carp interface or I can't control which interface IP it uses, because the other end doesn't care either. It make NO difference because WG is stateless. It doesn't matter if the remote firewall sends from a different IP address to what the local firewall sends from. It just make no difference. Nobody cares. That actually makes it quite awesome.
I spent the last few days working on a Wireguard multiWAN with HA site to site setup.
SiteA
2 x firewalls in HA with CARP and WAN1 and WAN2
SiteB
2 x firewalls in HA with CARP and WAN1 and WAN2
FRR already has lots of cool features to follow carp, so it's no problem to get routing only running on the primary firewall.
All that is needed to get multi site, primary/backup HA WireGuard running in an active/passive is to have WG stopped on the backup firewall.
That's it!
I LOVE the stateless nature of WG and how fast it sets up a VPN tunnel compared to IPSEC. It's awesome. But, that does make a nightmare if WG is running on both the primary and backup firewall.
Because of the stateless design of WG it's likely that the local primary and local backup firewall both try to have the same VPN tunnel up to the remote firewall.
Without having WG as active/passive, for a pair of HA firewalls each end site to site you need unique 8 tunnels and the problem is;
1. The complexity
2. You can't HA sync WG nor FRR because it all needs to be different
3. What about the WG interfaces needed which need to be different on primary/backup firewall?
WireGuard needs an option in the package ;
Enable CARP Failover
Follow this (drop down box) CARP VHID (user select which CARP to follow, probably the LAN CARP)
With that simple change, WG becomes instantly ready for multiWAN HA
the config becomes the same on the primary and the backup firewall
you can HA sync the FRR and Wireguard config
8 VPN tunnels and very complex routing become a far simpler design of 2
Please please please please.
Logged
alfrisch
Newbie
Posts: 9
Karma: 0
Re: Wireguard multiWAN with HA site to site - Wireguard needs to follow CARP
«
Reply #1 on:
October 01, 2021, 08:24:53 am »
Hi, I also want to implement a multiWAN site-to-site setup with wireguard in HA configuration and your suggested solution sounds very interesting and simple to add to OPNsense.
Looking forward to any action on this topic!
Logged
Patrick M. Hausen
Hero Member
Posts: 6839
Karma: 574
Re: Wireguard multiWAN with HA site to site - Wireguard needs to follow CARP
«
Reply #2 on:
October 17, 2021, 04:26:37 pm »
Seconded, I am in the same situation. As a temporary workaround I do
major config change on master
enable sync for WG
sync config
disable sync for WG
disable WG on backup
But that's not pretty.
@nzkiwi68 - have you create an issue on github, already?
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
alfrisch
Newbie
Posts: 9
Karma: 0
Re: Wireguard multiWAN with HA site to site - Wireguard needs to follow CARP
«
Reply #3 on:
December 08, 2021, 02:58:32 pm »
here is the issue on github
https://github.com/opnsense/plugins/issues/2524
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
Wireguard multiWAN with HA site to site - Wireguard needs to follow CARP