How to get a second wireguard tunnel working?

[hushcoden]

After crashing my head for several days ;D  I managed to get wireguard working, and now I'd like to add a second tunnel for failover: is there a guide for dummies I can follow?

Tia.

[Maurice]

Depends. Tunnel for Internet access, site-to-site or road warriors?

[hushcoden]

Just Internet access

[Maurice]

If both tunnels use the same local config (private key and tunnel addresses), you just have to add a second endpoint. Only enable one endpoint at any given time.

Otherwise, you'll have to duplicate everything. Local config, endpoint, interface assignment, gateway etc.

Cheers
Maurice

[hushcoden]

I've configured the second endpoint, local, gateway, interface and only I need is to configure wireguard in a way that when the wg1 connection is down, wg2 takes over...

[Maurice]

Enable both wg instances and endpoints, create a gateway group and use this group in your pbr firewall rules.

[hushcoden]

Now, for the life of me I can't understand why the second tunnel gateway is offline although if I go in wireguard -> diagnostics I see there is handshake...  >:(

[hushcoden]

I've found out that in the gateway section, when I change the monitor IP address the tunnel shows offline: if I use 10.2.0.1 the tunnel shows online but anything else like 10.2.0.x takes the tunnel offline - 10.2.0.1 is the DNS IP address provided by ProtonVPN.

Any suggestions?

[Maurice]

Make sure not to use the same monitor IP for both. Ping distinct public addresses instead, like 1.1.1.1 and 1.0.0.1. Using unique gateway IP addresses might be required, too (they're arbitrary anyway). Last, you can remove the /28 from the tunnel addresses to avoid having two interfaces with the same subnet (might not be strictly required though).

[hushcoden]

Great, thanks, it seems the gateway group is working.

I was watching the gateway stats for a few minutes for both tunnels, and noticed they fluctuate a lot, i.e. from online they go to packet loss then back to online: should I be concerned or it's normal? I've set the tunnel MTU for both at 1412, does it matter at all?

Also, do I have to use any rules at all in Firewall -> WireGuard (Group)?

In Firewall -> NAT -> Outbound, I've created just one rule for the interface WireGuard (Group), but I don't know if that's the correct setting or I have to create two separate Outbound rules, one for wg1 and one for wg2 ?

[Maurice]

Packet loss is not normal, no. Did this start after adding the second wg interface? No packet loss before? You could try different monitor IPs.

No, you don't need any firewall rules since this is essentially a WAN interface. Everything outbound is allowed and anything inbound is blocked by default.

[hushcoden]

For the monitor IPs, I'm using Proton servers IP addresses (I believe it makes no difference from the Cloudflare or Google ones).

Another thing I noticed in the log is that pings from those servers towards the two locals are blocked, can this be an issue?

[Maurice]

Are 146.70.83.66 / 146.70.96.66 your monitor IPs? But these are also the endpoint IPs, right? That won't work.

[hushcoden]

Ah okay, I can use Cloudflare or Quad 9 then, but exactly what won't work? Thanks

And I noticed that with one tunnel the connection is pretty stable but with two tunnels the devices lose Internet time by time  :-\

[Maurice]

The monitor IP must be routed through the tunnel, the endpoint IP mustn't. The tunnel can't be routed through itself.