Hi Michael, You can do a lot with a single wg0 interface, and makes the routing and firewall forwarding easier to keep track of.
> Here is my scenario. I have primary and backup Wireguard VPN Peers that > multiple Astlinux boxes will be connecting to. I'm not sure what you are describing, some sort of network diagram would help. Possibly describing my personal edge AstLinux box might help ... Primary WAN - Cable modem Failover WAN - 4G/LTE (Netgear LB1121) WireGuard VPN: * Mobile Client - Multiple iOS clients * Peer Config: - voip1: remote AstLinux box 10.4.1.11 - linode: failover AstLinux in the cloud -- ## WireGuard VPN Peers ## [Peer] ## voip1 PublicKey = BG... Endpoint = voip1.exampble.tld:51820 AllowedIPs = 10.4.1.11/32 PersistentKeepalive = 25 [Peer] ## linode PublicKey = Om... Endpoint = 96.x.x.x:51820 AllowedIPs = 0.0.0.0/0, ::/0 PersistentKeepalive = 25 -- -- /mnt/kd/wan-failover.script -- #!/bin/sh ## ## wan-failover action script ## ## Automatically called after any WAN link change ## state="$1" primary_if="$2" primary_gw="$3" secondary_if="$4" secondary_gw="$5" secondary_gw_ipv6="$6" linode_ip="96.x.x.x" . /etc/rc.conf wg_failover() { local state="$1" endpoint_ip ip_file ip_file="/tmp/wan_wg_failover" case $state in SECONDARY) endpoint_ip="$(wg show wg0 endpoints | \ awk '$1 == "BG..." { split($2, field, ":"); print field[1]; nextfile; }')" if [ -n "$endpoint_ip" ]; then echo "$endpoint_ip" > "$ip_file" ip route add "$endpoint_ip" dev $EXT2IF fping -q -t 1000 10.4.1.11 else rm -f "$ip_file" fi ;; PRIMARY) if [ -f "$ip_file" ]; then endpoint_ip="$(cat "$ip_file")" rm "$ip_file" ip route del "$endpoint_ip" dev $EXT2IF fping -q -t 1000 10.4.1.11 fi ;; esac } case $state in SECONDARY) ## Switched to Failover using secondary WAN link ip route add "$linode_ip" dev $EXT2IF fping -q -t 1000 "$secondary_gw" asterisk -rx "sip reload" >/dev/null wg_failover $state ;; PRIMARY) ## Switched back to normal using primary WAN link ip route del "$linode_ip" dev $EXT2IF fping -q -t 1000 "$secondary_gw" asterisk -rx "sip reload" >/dev/null wg_failover $state ;; esac exit 0 -- Studying the wan-failover.script, you can see how the peers are routed over EXT2IF during failover, I could do the same for any active "Mobile Clients" but have never needed that feature yet. In summary, Wireguard over IPv4-only establishes a dual stack IPv4/IPv6 private network 10.4.1.0/24 and IPv6 ULA/48 only using a single wg0 interface. Constantly connected is the remote AstLinux box and the failover Linode AstLinux in the cloud. The "Mobile Clients" are remotely initiated using dynamic endpoints. Michael, while my personal setup is probably not exactly what you want at a customer's site, I expect there are some common features. Lonnie > On Jan 1, 2019, at 12:53 AM, David Kerr <da...@kerr.net> wrote: > > Michael, > A single wg interface can have multiple IP addresses. They can be > different subnets too. You will have to manually edit the config files. > > David. > > On Tue, Jan 1, 2019 at 6:37 AM Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: > Hi group > > > > Here is my scenario. I have primary and backup Wireguard VPN Peers that > multiple Astlinux boxes will be connecting to. > > I assume that I will need different wgx interfaces for this as I cant have > the same IP Address. > > If so, just wondering how to set this up in Astlinux? > > > > Regards > > Michael Knill _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.