Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
How should an HA pair handle WireGuard?
« previous
next »
Print
Pages: [
1
]
Author
Topic: How should an HA pair handle WireGuard? (Read 5442 times)
whit
Newbie
Posts: 35
Karma: 1
How should an HA pair handle WireGuard?
«
on:
September 19, 2019, 04:33:06 pm »
Is there a way to tie WireGuard to CARP takeover? Obviously I can't just have it already running on both systems, with the same remote connections. On the DR system, once running it should connect to the remote systems at their IPs even if it's not coming from the expected IP on the OPNsense end; that's a feature of WireGuard. I'm guessing this will take scripting tie it to CARP, so that it only starts when CARP triggers it. If so, where should that be tied in?
Apologies if this is documented somewhere I haven't found yet. Thanks for any pointers.
Whit
Logged
mimugmail
Hero Member
Posts: 6756
Karma: 494
Re: How should an HA pair handle WireGuard?
«
Reply #1 on:
September 19, 2019, 04:34:31 pm »
No, doesn't work, it's a limitiation of Wireguard itself (UDP, no IP interface binding)
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
whit
Newbie
Posts: 35
Karma: 1
Re: How should an HA pair handle WireGuard?
«
Reply #2 on:
September 19, 2019, 08:20:21 pm »
What I'm asking then is a way to script for CARP to turn WireGuard off and on in coordination with IP takeover when the master system is down. I know this is doable. (It's simple enough using UCARP on Linux.) I just don't know my way around how OPNsense uses CARP here.
Yes, this goes beyond the pretty menus. But it's where I need to be.
Logged
mimugmail
Hero Member
Posts: 6756
Karma: 494
Re: How should an HA pair handle WireGuard?
«
Reply #3 on:
September 19, 2019, 09:01:09 pm »
The problem is you can't set a sending source IP. Packets are not sent via CARP IP.
This is a limitation of Wireguard itself.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
whit
Newbie
Posts: 35
Karma: 1
Re: How should an HA pair handle WireGuard?
«
Reply #4 on:
September 19, 2019, 09:48:55 pm »
You're not understanding what I'm saying. It's not about IP. It's about integrating a line to start or stop WireGuard into the scripts which run when CARP orchestrates an IP takeover. I don't care about the IPs. I care about whether the system thinks it's the master or the standby. When CARP tells the standby to take over as master, the trick is to have it also start WireGuard, with /usr/local/etc/rc.d/wireguard start. And when it surrenders that, to stop WireGuard similarly.
That there's also IP takeover in this case is coincident, but the state of the virtual IPs is logically independent of this, beyond the coincident use of the same mechanism to trigger both those and WireGuard.
Whit
Logged
whit
Newbie
Posts: 35
Karma: 1
Re: How should an HA pair handle WireGuard?
«
Reply #5 on:
September 19, 2019, 11:02:38 pm »
I see in /usr/local/etc/rc.syshook.d/carp the file 20-openvpn with references to MASTER and BACKUP. My guess is this is part of a mechanism which can be extended to start and stop WireGuard according to whether the firewall is in MASTER or BACKUP status.
Is OPNsense using CARP in a standard BSD way here, or are the files controlling it somewhat different in arrangement? That is, can I depend on the BSD docs for guidance on this?
Thanks,
Whit
Logged
mimugmail
Hero Member
Posts: 6756
Karma: 494
Re: How should an HA pair handle WireGuard?
«
Reply #6 on:
September 20, 2019, 05:35:29 am »
Just setup site2site with HA, initiate a failover, Stop on unit1 manually, start on unit2 manually and see what happens
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
ctr
Newbie
Posts: 20
Karma: 0
Re: How should an HA pair handle WireGuard?
«
Reply #7 on:
October 29, 2019, 06:57:42 pm »
I'm also looking into this.
My naive approach would have been to run wireguard with identical configuration and then utilize a port forward from the CARP address to localhost.
Would this not work?
Logged
mimugmail
Hero Member
Posts: 6756
Karma: 494
Re: How should an HA pair handle WireGuard?
«
Reply #8 on:
October 29, 2019, 08:03:54 pm »
WireGuard will sent it's packets via main IP, so, no
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
ctr
Newbie
Posts: 20
Karma: 0
Re: How should an HA pair handle WireGuard?
«
Reply #9 on:
November 02, 2019, 06:47:16 pm »
I didn't even need a redirect, I just created an alias IP on the WAN interface and Wireguard is receiving traffic.
However - as indicated - the return traffic comes from the main interface IP rather than the alias, obviously breaking the tunnel.
Is this a WG or BSD bug? Usually I'd expect a host to reply with the very same address it was contacted on. There is no NAT in my scenario, just two IPs on an interface.
Logged
mimugmail
Hero Member
Posts: 6756
Karma: 494
Re: How should an HA pair handle WireGuard?
«
Reply #10 on:
November 02, 2019, 08:43:48 pm »
This would need a feature request via WireGuard, BSD should handle this fine
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
How should an HA pair handle WireGuard?