Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Wireguard over 2 WAN connections for failover
« previous
next »
Print
Pages: [
1
]
Author
Topic: Wireguard over 2 WAN connections for failover (Read 1843 times)
mimizone
Newbie
Posts: 23
Karma: 1
Wireguard over 2 WAN connections for failover
«
on:
January 31, 2024, 07:59:22 pm »
Hello,
I am looking into replacing our IPSec VPN to Google Cloud with Wireguard. The reason is that we are running into reliability issues with our primary ISP. I want a failover solution for specific workload that spans over on-premise and the cloud. We have a 4G connection that doesn't provide static IPs, so IPSec can't be used (AFAIK).
The use case is the following:
- use 2 WAN connections, one over Fiber (primary) and one on 4G/LTE (secondary)
- 2 Wireguard tunnels one on each connection
- Wireguard server in a VM in GCP
- prefer to use static routing, but ok with using BGP if required
I know it's feasible.
I am looking for opinions and ideas on what can be the differet approaches for:
- handling the failover on the on-premise side in OPNSense
- handling the failover on the GCP side.
on OPNsense, I would use a gateway group including the 2 wireguard gateways.
on the GCP side, I looked into using Linux with wireguard. I am not completely clear yet on how to configure the failover though (at layer 2 or 3, bgp or not?). It seems it would have to be done with BGP because the bonding of the wireguard interfaces would not consider the daughter interface down when the connection is down. I haven't tested this yet, not sure...
I am considering using OPNsense also in GCP to handle the failover the same way as on-premise with a gateway group. Or do I have to use BGP to update the routes too there? Any experience using OPNsense in a VM on GCP?
Thanks for any input.
Logged
Maurice
Hero Member
Posts: 1213
Karma: 158
Re: Wireguard over 2 WAN connections for failover
«
Reply #1 on:
January 31, 2024, 11:15:57 pm »
You don't really need 2 Wireguard tunnels. The tunnel itself can fail over to the secondary WAN when the primary WAN goes down. I use such a setup with one endpoint at home and one in a datacenter (both OPNsense), works fine. On the dual-WAN OPNsense, you have to configure gateway monitoring on the WAN interfaces themselves and enable default gateway switching.
Cheers
Maurice
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository
Commercial support & engineering available. PM for details (en / de).
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Wireguard over 2 WAN connections for failover