Wireguard multiWAN with HA site to site - Wireguard needs to follow CARP

Started by nzkiwi68, September 08, 2021, 12:32:26 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 08, 2021, 12:32:26 AM
All that is needed to get it going properly, is have WireGuard (WG) follow the CARP master and STOP on the backup firewall and only start if it is the CARP master.

I don't care that WG doesn't send packets out the carp interface or I can't control which interface IP it uses, because the other end doesn't care either. It make NO difference because WG is stateless. It doesn't matter if the remote firewall sends from a different IP address to what the local firewall sends from. It just make no difference. Nobody cares. That actually makes it quite awesome.

I spent the last few days working on a Wireguard multiWAN with HA site to site setup.

SiteA
2 x firewalls in HA with CARP and WAN1 and WAN2

SiteB
2 x firewalls in HA with CARP and WAN1 and WAN2

FRR already has lots of cool features to follow carp, so it's no problem to get routing only running on the primary firewall.

All that is needed to get multi site, primary/backup HA WireGuard running in an active/passive is to have WG stopped on the backup firewall.

That's it!

I LOVE the stateless nature of WG and how fast it sets up a VPN tunnel compared to IPSEC. It's awesome. But, that does make a nightmare if WG is running on both the primary and backup firewall.
Because of the stateless design of WG it's likely that the local primary and local backup firewall both try to have the same VPN tunnel up to the remote firewall.
Without having WG as active/passive, for a pair of HA firewalls each end site to site you need unique 8 tunnels and the problem  is;
1. The complexity
2. You can't HA sync WG nor FRR because it all needs to be different
3. What about the WG interfaces needed which need to be different on primary/backup firewall?

WireGuard needs an option in the package ;

  • Enable CARP Failover
  • Follow this (drop down box) CARP VHID (user select which CARP to follow, probably the LAN CARP)


With that simple change, WG becomes instantly ready for multiWAN HA

  • the config becomes the same on the primary and the backup firewall
  • you can HA sync the FRR and Wireguard config
  • 8 VPN tunnels and very complex routing become a far simpler design of 2

Please please please please.
October 01, 2021, 08:24:53 AM #1
Hi, I also want to implement a multiWAN site-to-site setup with wireguard in HA configuration and your suggested solution sounds very interesting and simple to add to OPNsense.

Looking forward to any action on this topic!
October 17, 2021, 04:26:37 PM #2
Seconded, I am in the same situation. As a temporary workaround I do

  • major config change on master
  • enable sync for WG
  • sync config
  • disable sync for WG
  • disable WG on backup
But that's not pretty.

@nzkiwi68 - have you create an issue on github, already?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 08, 2021, 02:58:32 PM #3
Print
Go Up Pages1
User actions