Archive > 19.7 Legacy Series

How should an HA pair handle WireGuard?

(1/3) > >>

whit:
Is there a way to tie WireGuard to CARP takeover? Obviously I can't just have it already running on both systems, with the same remote connections. On the DR system, once running it should connect to the remote systems at their IPs even if it's not coming from the expected IP on the OPNsense end; that's a feature of WireGuard. I'm guessing this will take scripting tie it to CARP, so that it only starts when CARP triggers it. If so, where should that be tied in?

Apologies if this is documented somewhere I haven't found yet. Thanks for any pointers.

Whit

mimugmail:
No, doesn't work, it's a limitiation of Wireguard itself (UDP, no IP interface binding)

whit:
What I'm asking then is a way to script for CARP to turn WireGuard off and on in coordination with IP takeover when the master system is down. I know this is doable. (It's simple enough using UCARP on Linux.) I just don't know my way around how OPNsense uses CARP here.

Yes, this goes beyond the pretty menus. But it's where I need to be.

mimugmail:
The problem is you can't set a sending source IP. Packets are not sent via CARP IP.
This is a limitation of Wireguard itself.

whit:
You're not understanding what I'm saying. It's not about IP. It's about integrating a line to start or stop WireGuard into the scripts which run when CARP orchestrates an IP takeover. I don't care about the IPs. I care about whether the system thinks it's the master or the standby. When CARP tells the standby to take over as master, the trick is to have it also start WireGuard, with /usr/local/etc/rc.d/wireguard start. And when it surrenders that, to stop WireGuard similarly.

That there's also IP takeover in this case is coincident, but the state of the virtual IPs is logically independent of this, beyond the coincident use of the same mechanism to trigger both those and WireGuard.

Whit

Navigation

[0] Message Index

[#] Next page