Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Wireguard connections bound to specific WAN interface
« previous
next »
Print
Pages: [
1
]
Author
Topic: Wireguard connections bound to specific WAN interface (Read 3312 times)
zemsten
Newbie
Posts: 14
Karma: 0
Wireguard connections bound to specific WAN interface
«
on:
January 11, 2022, 10:49:19 pm »
I'm having a bit of trouble setting up two wireguard client connections, with two different WAN interfaces.
I have WAN1 and WAN2, two independent connections to the internet. WAN2 generally has higher bandwidth and is the preferred connection in my gateway group for WAN_FAILOVER.
I have two wireguard clients configured. WG_WAN1 and WG_WAN2. These connect to two separate endpoints. I want WG_WAN1 to only connect via WAN1 and WG_WAN2 to only connect via WAN2. So far I've achieved this by adding static routes to their endpoint IPs, defining which interface I want to route the traffic on.
Now normally this works great and everything functions as expected. The trouble I run into is when WAN2 goes down for any appreciable time and things failover to WAN1. Initially I see WG_WAN2 go down as expected, but if WAN2 stays down for a while, eventually WG_WAN2 will come back up, routed through WAN1. This is the part that I do
not
want to happen.
I do have default gateway switching turned on in the firewall, as I want traffic originated from it to handle a single WAN failure (for DNS). Everything else is policy routed through my gateway groups and works great. I believe that a static route should have precedence over discovered routes, but I may be wrong there.
I should also add that I'm running these wireguard clients with their own assigned interfaces, if that wasn't obvious from context.
Am i missing a crucial element in how to bind a WG client to a particular WAN interface in a failover setup?
«
Last Edit: January 11, 2022, 10:51:38 pm by zemsten
»
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Wireguard connections bound to specific WAN interface
«
Reply #1 on:
January 13, 2022, 06:48:50 am »
Can you install the kmod pkg? Usually wireguard take routing table to send packets and not Pf. Maybe kmod helps here
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
zemsten
Newbie
Posts: 14
Karma: 0
Re: Wireguard connections bound to specific WAN interface
«
Reply #2 on:
January 13, 2022, 03:20:40 pm »
Sorry, I
definitely
should have mentioned that in my initial post as well. I am using the kmod implementation. That slipped my mind as I've been using it basically the entire time I've been using wireguard.
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Wireguard connections bound to specific WAN interface
«
Reply #3 on:
January 13, 2022, 07:17:47 pm »
Can you try floating rules, source WAN address, source port wg, Gateway WAN, outbound direction. Same for WAN2. I think the validation was removed some time ago
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
zemsten
Newbie
Posts: 14
Karma: 0
Re: Wireguard connections bound to specific WAN interface
«
Reply #4 on:
January 16, 2022, 07:39:44 pm »
This is a novel idea! I just got it setup and it hasn't broken anything, so I'll rock it for a while and see what happens. Thanks much, I appreciate all you do around here!
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Wireguard connections bound to specific WAN interface
«
Reply #5 on:
January 16, 2022, 08:04:08 pm »
Pew pew
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Wireguard connections bound to specific WAN interface