WireGuard HA Sync
-
Is there a reason that WireGuard is not synchronized to HA peers? I am switching over to WireGuard due to the issues with IPSec in 21.02, and would like to sync them between my HA units. For now, I am just going to backup the WireGuard section from the primary unit, and restore that specific section on the backup device, and manually add the wgX interfaces, then rules should replicate properly.
Is there some caveat that I missed in the documentation that may cause problems? I have all WG peers set to dynamic so that the HA unit does not initiate. I also have the filter rules on the HA units to only accept connectiong to WireGuard ports on CARP VIPs.
Thanks,
- Marc
-
@mmapplebeck As Wireguard does not "listen" on an interface or a specific IP it's a bit tricky/hard to make it compliant to CARP, as besides forcing it to accept incoming connections only via the CARP IP you don't have a way to force outgoing connections (WG is server/clientless after all and can be both) via the CARP IP and will end up of a peer being connected to the host itself rather than the CARP IP. So a failover will likely result in a broken connection that has to be reestablished.
As far as my understanding of the current situation is, it is recommended to just create two separate tunnels to the remote peer and use a mechanism like OSPF to switch the active node instead of trying to force "CARP'ish" failover behavior onto wireguard that doesn't really understand it.
-