HA capable WireGuard - how is that supposed to work?

[Patrick M. Hausen]

Hi all,

I have a long established WG setup with a central data centre (hub) and two offices (spoke). Usual topology.
The central data centre uses a HA pair.

Since WG did not truly support a clustered setup I configured the connections as follows:

- the hub does not have the spoke's IP addresses configured in the peer settings, so it can never initiate the connection
- the inbound firewall rule on the hub permits WG packets (51820/UDP) to the CARP HA address only
- so the spokes "dial in", hit the active node, the passive one has no idea whom it should contact, and everyone is happy

Now I wanted to change the setup to use the new "Depend on (CARP)" setting in the "Instances" section. Unfortunately the moment I set this to "WAN HA on wan (vhid 1)" which is the CARP address in use the WG connections drop and cannot be reestablished. Not by restarting the service on both spokes, not by rebooting, simply doesn't work.

The active node of the HA pair does have the CARP address as master as shown by the CARP status, yet the WG logfile says:

"Wireguard configure event instance KAGate (wg0) vhid: 1 carp: DISABLED interface: down"

Hints welcome.

Kind regards,
Patrick

[Patrick M. Hausen]

https://github.com/opnsense/core/issues/7773

[Patrick M. Hausen]

Case closed (see Github link above) - while CARP certainly permits duplicate VHIDs in different broadcast domains, the OPNsense scripts responsible for service failover rely on them to be globally unique. Works as expected.

@AdSchellevis thanks a lot!