English Forums > High availability
CARP and WireGuard
em.tie:
Dear All,
I have "upgraded" my single opnsense box to 2 opnsense boxes. Before upgrading I had wireguard running as VPN solution. With my 2 new boxes which are running in CARP / HA Mode wireguard seems not to work although I have followed the documentation. I have read a bit and found out, that in ha mode wireguard does not work. Is there a way to get wireguard working even it does not work with ha?
For clarification I have the following configuration / rules / etc.
WAN Router -> Fritzbox 192.168.1.1
opnsense1 (WAN) -> 192.168.1.10
opnsense 2(WAN) -> 192.168.1.11
opnsense carp (WAN) -> 192.168.1.20
internet -> WAN Router (fritzbox) with Portforwarding to opnsense carp -> opnsense 1 +2 -> LAN / ...
Firewall Rule on WAN Interface:
Interface - WAN
Direction - in
TCP/IP Version - IPv4
Protocol - UDP
Source - any
destination - WAN Address ### is this right? should it be carp address?
destination port - WireGuard Server Port
Firewall outbound NAT
Interface - WAN
tCP / IP - IPv4
Protocol - any
source - WGUA Network ### this is the created interface for wireguard according to the documentatino
source port - any
destination - any
destination port - any
Translation - CARP IP WAN Interface
WireGuard on opnsense 2 (backup box) -> Disabled
Thanks for any hints!!!
cu em.tie
spali:
As I investigated a bit of time for getting DHCP WAN with single lease working (no CARP on WAN, only on LAN).
I can share some thoughts.
You could put a script in /usr/local/etc/rc.syshook.d/carp/ to stop wireguard service in BACKUP mode and start it in MASTER mode.
checkout the 20-openvpn script there.
Especially the part:
--- Code: ---$subsystem = !empty($argv[1]) ? $argv[1] : '';
$type = !empty($argv[2]) ? $argv[2] : '';
--- End code ---
$type will either contain "MASTER" or "BACKUP".
Not sure, but I think the script does explicitly reconfigure the openvpn interface configuration. But in case of Wireguard, assuming you have a working wireguard setup, I think just stopping or starting the service should work to prevent connections from the BACKUP, due the fact that wireguard is listening on all interfaces by default.
You can also checkout my script for ideas, which does in fact disable WAN interface on BACKUP and enable it if it get's the master:
https://gist.github.com/spali/2da4f23e488219504b2ada12ac59a7dc
berndtfromat:
Hi em.tie,
It took a while for me to set up a ha cluster with automatic failover in regards of wireguard, too...
fw rule and nat rule is correct, you should use your wan carp ip
I guess the following is missing on your setup:
change the wireguard implementation from go to kmod:
ssh into the shell:
--- Code: ---pkg install wireguard-kmod
--- End code ---
after a reboot it will be used instead of wireguard-go. "The wireguard-go service will show as stopped since the go implementation isn’t being used, due to the kernel module, OPNsense will fix this in a later release."
you can sync wireguard settings via ha and wireguard seems to be fine running/enabled on both (!) nodes with the same (!) tunnel address.
When one node goes down carp ip will be switched and after a few (...) seconds the wireguard tunnels terminate on the new node.
Prerequisite is really a perfectly running carp setup, for example my isp modem blocks carp multicasts by default, so in my case my provider had to activate this to get things running.
BR
Berndt
Patrick M. Hausen:
That's fantastic news, thanks for the report. I am going to try this in the next couple of days.
bimbar:
This has been working for me for quite some time. wireguard-kmod handles this much better than wireguard-go.
Navigation
[0] Message Index
[#] Next page
Go to full version