Triggered scripts on failover

[qdrop]

Hi everyone.

Can anyone tell me, what scripts are triggered upon a failover procedure? We're using a default HA setup (as documented in https://docs.opnsense.org/manual/how-tos/carp.html.

The background is that we're using Wireguard as our VPN solution of choice. It's by far the best VPN available today. By far the best stability, performance and speed. So we're not willing to go back to IPsec or OpenVPN.

I would like that our HA setup also automatically stops / starts the Wireguard tunnel on the two cluster members - depending on their CARP status. We're aware, that this will take couple of seconds until the tunnel recovers.

Other solutions (such as having two active Wireguard tunnels) turn out to be far more complex to implement. We value simplicity.

If we're successful implementing that setup I consider documenting the whole setup. There are a lot of engineers trying to accomplish the same thing ;-).

Any help is highly appreciated.

Best

qdrop

[Werner Fischer]

Hi,

you can check what gets triggered by following the log "clog -f /var/log/system.log" during a failover - see  https://www.thomas-krenn.com/de/wiki/OPNsense_HA_Cluster_einrichten#Ausfalls-Test

Regarding Wireguard failover I have not done any tests yet, but as far as I see from the forum there is no support possible yet: https://forum.opnsense.org/index.php?topic=16339.0

Best regards,
Werner

[qdrop]

Yeah, thank you very much. I'll have a look at this.

Regarding Wireguard: There seems to be a big misunderstanding. A lot of people try to get HA-setups with Wireguard following the standards (active-active tunnels, Policy-based routing, etc...).

What I try to accomplish is not a proper HA-setup from a networking perspective: There will be downtime and there will be packets getting lost. Yet it will still fulfill our requirements to a failover: Getting the system up and running as fast as possible (basically the time it takes to initiate a tunnel and adjust the routing tables).

You can try it yourself: Create a HA-setup and activate the Wireguard tunnel on the active node. Then, disable wireguard on the active node, pull the plug and simply start the Wireguard tunnel on the secondary node: The system will work as expected and the tunnel will establish just fine.

Then, reactivate the disabled node, disable Wireguard on the failover node and reactivate the Wireguard on the primary node: The system is successfully failed back and everything works as expected.

Did I understand everything properly? What I try to accomplish is simply to automate these processes. As both our nodes are clients to a Wireguard server (road-warrior-setup), this setup should work without any issues: I can randomly start a tunnel from various different clients, as long as there is only one active at a given time, right?

Best

qdrop

[mimugmail]

Yes this will work, but there will be no official support since WireGuard itself doesn't support binding to IP addresses. As 99% of all HA setups will be server side and not client side, your solution will only work on 1% of the setups and I don't want to support HA support for 1% where 99% is angry why HA doesn't work.

[qdrop]

jprenken solved this issue: https://gist.github.com/jprenken/18ca7bf14ddae547ae0fdf6f56d72573