Wireguard multiWAN with HA site to site - Wireguard needs to follow CARP

[nzkiwi68]

All that is needed to get it going properly, is have WireGuard (WG) follow the CARP master and STOP on the backup firewall and only start if it is the CARP master.

I don't care that WG doesn't send packets out the carp interface or I can't control which interface IP it uses, because the other end doesn't care either. It make NO difference because WG is stateless. It doesn't matter if the remote firewall sends from a different IP address to what the local firewall sends from. It just make no difference. Nobody cares. That actually makes it quite awesome.

I spent the last few days working on a Wireguard multiWAN with HA site to site setup.

SiteA
2 x firewalls in HA with CARP and WAN1 and WAN2

SiteB
2 x firewalls in HA with CARP and WAN1 and WAN2

FRR already has lots of cool features to follow carp, so it's no problem to get routing only running on the primary firewall.

All that is needed to get multi site, primary/backup HA WireGuard running in an active/passive is to have WG stopped on the backup firewall.

That's it!

I LOVE the stateless nature of WG and how fast it sets up a VPN tunnel compared to IPSEC. It's awesome. But, that does make a nightmare if WG is running on both the primary and backup firewall.
Because of the stateless design of WG it's likely that the local primary and local backup firewall both try to have the same VPN tunnel up to the remote firewall.
Without having WG as active/passive, for a pair of HA firewalls each end site to site you need unique 8 tunnels and the problem  is;
 1. The complexity
 2. You can't HA sync WG nor FRR because it all needs to be different
 3. What about the WG interfaces needed which need to be different on primary/backup firewall?

WireGuard needs an option in the package ;

• Enable CARP Failover
• Follow this (drop down box) CARP VHID (user select which CARP to follow, probably the LAN CARP)

With that simple change, WG becomes instantly ready for multiWAN HA

• the config becomes the same on the primary and the backup firewall
• you can HA sync the FRR and Wireguard config
• 8 VPN tunnels and very complex routing become a far simpler design of 2

Please please please please.

[alfrisch]

Hi, I also want to implement a multiWAN site-to-site setup with wireguard in HA configuration and your suggested solution sounds very interesting and simple to add to OPNsense.

Looking forward to any action on this topic!

[pmhausen]

Seconded, I am in the same situation. As a temporary workaround I do

• major config change on master
• enable sync for WG
• sync config
• disable sync for WG
• disable WG on backup

But that's not pretty.

@nzkiwi68 - have you create an issue on github, already?

[alfrisch]

here is the issue on github https://github.com/opnsense/plugins/issues/2524