How should an HA pair handle WireGuard?

[whit]

Is there a way to tie WireGuard to CARP takeover? Obviously I can't just have it already running on both systems, with the same remote connections. On the DR system, once running it should connect to the remote systems at their IPs even if it's not coming from the expected IP on the OPNsense end; that's a feature of WireGuard. I'm guessing this will take scripting tie it to CARP, so that it only starts when CARP triggers it. If so, where should that be tied in?

Apologies if this is documented somewhere I haven't found yet. Thanks for any pointers.

Whit

[mimugmail]

No, doesn't work, it's a limitiation of Wireguard itself (UDP, no IP interface binding)

[whit]

What I'm asking then is a way to script for CARP to turn WireGuard off and on in coordination with IP takeover when the master system is down. I know this is doable. (It's simple enough using UCARP on Linux.) I just don't know my way around how OPNsense uses CARP here.

Yes, this goes beyond the pretty menus. But it's where I need to be.

[mimugmail]

The problem is you can't set a sending source IP. Packets are not sent via CARP IP.
This is a limitation of Wireguard itself.

[whit]

You're not understanding what I'm saying. It's not about IP. It's about integrating a line to start or stop WireGuard into the scripts which run when CARP orchestrates an IP takeover. I don't care about the IPs. I care about whether the system thinks it's the master or the standby. When CARP tells the standby to take over as master, the trick is to have it also start WireGuard, with /usr/local/etc/rc.d/wireguard start. And when it surrenders that, to stop WireGuard similarly.

That there's also IP takeover in this case is coincident, but the state of the virtual IPs is logically independent of this, beyond the coincident use of the same mechanism to trigger both those and WireGuard.

Whit

[whit]

I see in /usr/local/etc/rc.syshook.d/carp the file 20-openvpn with references to MASTER and BACKUP. My guess is this is part of a mechanism which can be extended to start and stop WireGuard according to whether the firewall is in MASTER or BACKUP status.

Is OPNsense using CARP in a standard BSD way here, or are the files controlling it somewhat different in arrangement? That is, can I depend on the BSD docs for guidance on this?

Thanks,
Whit

[mimugmail]

Just setup site2site with HA, initiate a failover, Stop on unit1 manually, start on unit2 manually and see what happens

[ctr]

I'm also looking into this.
My naive approach would have been to run wireguard with identical configuration and then utilize a port forward from the CARP address to localhost.
Would this not work?

[mimugmail]

WireGuard will sent it's packets via main IP, so, no

[ctr]

I didn't even need a redirect, I just created an alias IP on the WAN interface and Wireguard is receiving traffic.
However - as indicated - the return traffic comes from the main interface IP rather than the alias, obviously breaking the tunnel.

Is this a WG or BSD bug? Usually I'd expect a host to reply with the very same address it was contacted on. There is no NAT in my scenario, just two IPs on an interface.

[mimugmail]

This would need a feature request via WireGuard, BSD should handle this fine