Wireguard - Multiple Peers -> One Instance: What happens?

mattlach · March 04, 2024, 10:01:53 PM

So today Amazon decided to be flaky with the VPN server I was using, so I decided to go in and add another peer to change the server.

While doing this I noticed that I can set up one WireGuard instance to link up to multiple peers. I had previously thought they had to be 1:1.

So I guess my question is, what happens when I do this?

My gut instinct is to "test it and see what happens", but right now I keep getting the same peer showing up when I look at my exit point IP address, so I am not entirely sure what it is doing on the back end, if anything at all.

Does it load balance between them? Some sort of round robin arrangement? Or just pick one per boot and stick with it?

Appreciate any thoughts.

cookiemonster · March 04, 2024, 10:34:38 PM

No, this is your local instance in OPN. Those peers are those allowed to connect to it, i.e. your mobile, your laptop, etc. Or user 1, user 2, etc.

mattlach · March 05, 2024, 01:08:04 AM

No, but the peer tab is where you configure the remote WireGuard server you are accessing.

The "instance" appears to be the local portion of it all.

Seimus · March 05, 2024, 10:50:03 AM

Instance
- Basically a specific WG GW, you can attach multiple peers (hosts to it)
- You can create multiple instances WG GW, and create for them different rules etc.
- Each instance has its own subnet

Peer
- Basically an EndPoint, this is where you configure the host you want to allow to connect to the specific WG, a Peer needs to have an IP from the Subnet of WG instance

Regards,
S.

mattlach · March 05, 2024, 06:33:59 PM

Quote from: Seimus on March 05, 2024, 10:50:03 AM
Instance
- Basically a specific WG GW, you can attach multiple peers (hosts to it)
- You can create multiple instances WG GW, and create for them different rules etc.
- Each instance has its own subnet

Peer
- Basically an EndPoint, this is where you configure the host you want to allow to connect to the specific WG, a Peer needs to have an IP from the Subnet of WG instance

Regards,
S.

Yep, so how does an instance behave when you point it towards multiple peers as in my screenshot above?

I wonder if it is a way to get it to load share or round robin connections to the multiple peers.

In my test, I just added four of them, and my connections seemed to be going out to only the last of the four, for some clients, while others seemed to get no outward connectivity at all.

So I think I might have broken it :p

I disabled three of them and went back to a single peer, and everything is working normally again.

I guess the proper way to load balance over multiple peers would be to create a separate instance, interface and gateway for each of them and then load balance them as if they were traditional external gateways?

I was just experimenting and hoping this might be a shortcut :p

Seimus · March 05, 2024, 07:40:27 PM

What you describe would be my expectation,

By nature I don't think WG is doing any load-balancing at all. If I would do a multi-tunnel site to-site I would try to achieve laodbalancing using routing or VXLAN.

Never tried this as for now I dont have the requirement for it.

Regards,
S.

Patrick M. Hausen · March 05, 2024, 07:43:25 PM

Peers cannot have overlapping allowed IPs - so if everything is configured correctly it will bring up all peers and route the matching networks to each.

mattlach · March 06, 2024, 01:34:30 AM

Ahh, That makes sense.

Thank you.

--Matt

Wireguard - Multiple Peers -> One Instance: What happens?

mattlach

March 04, 2024, 10:01:53 PM

cookiemonster

March 04, 2024, 10:34:38 PM #1

mattlach

March 05, 2024, 01:08:04 AM #2

Seimus

March 05, 2024, 10:50:03 AM #3

mattlach

March 05, 2024, 06:33:59 PM #4

Seimus

March 05, 2024, 07:40:27 PM #5

Patrick M. Hausen

March 05, 2024, 07:43:25 PM #6

mattlach

March 06, 2024, 01:34:30 AM #7