Hi Michael,
You can do a lot with a single wg0 interface, and makes the routing and
firewall forwarding easier to keep track of.
> Here is my scenario. I have primary and backup Wireguard VPN Peers that
> multiple Astlinux boxes will be connecting to.
I'm not sure what you are describing, some sort of network diagram would help.
Possibly describing my personal edge AstLinux box might help ...
Primary WAN - Cable modem
Failover WAN - 4G/LTE (Netgear LB1121)
WireGuard VPN:
* Mobile Client - Multiple iOS clients
* Peer Config:
- voip1: remote AstLinux box 10.4.1.11
- linode: failover AstLinux in the cloud
--
## WireGuard VPN Peers
##
[Peer]
## voip1
PublicKey = BG...
Endpoint = voip1.exampble.tld:51820
AllowedIPs = 10.4.1.11/32
PersistentKeepalive = 25
[Peer]
## linode
PublicKey = Om...
Endpoint = 96.x.x.x:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
--
-- /mnt/kd/wan-failover.script --
#!/bin/sh
##
## wan-failover action script
##
## Automatically called after any WAN link change
##
state="$1"
primary_if="$2"
primary_gw="$3"
secondary_if="$4"
secondary_gw="$5"
secondary_gw_ipv6="$6"
linode_ip="96.x.x.x"
. /etc/rc.conf
wg_failover()
{
local state="$1" endpoint_ip ip_file
ip_file="/tmp/wan_wg_failover"
case $state in
SECONDARY)
endpoint_ip="$(wg show wg0 endpoints | \
awk '$1 == "BG..." { split($2, field, ":"); print field[1]; nextfile; }')"
if [ -n "$endpoint_ip" ]; then
echo "$endpoint_ip" > "$ip_file"
ip route add "$endpoint_ip" dev $EXT2IF
fping -q -t 1000 10.4.1.11
else
rm -f "$ip_file"
fi
;;
PRIMARY)
if [ -f "$ip_file" ]; then
endpoint_ip="$(cat "$ip_file")"
rm "$ip_file"
ip route del "$endpoint_ip" dev $EXT2IF
fping -q -t 1000 10.4.1.11
fi
;;
esac
}
case $state in
SECONDARY)
## Switched to Failover using secondary WAN link
ip route add "$linode_ip" dev $EXT2IF
fping -q -t 1000 "$secondary_gw"
asterisk -rx "sip reload" >/dev/null
wg_failover $state
;;
PRIMARY)
## Switched back to normal using primary WAN link
ip route del "$linode_ip" dev $EXT2IF
fping -q -t 1000 "$secondary_gw"
asterisk -rx "sip reload" >/dev/null
wg_failover $state
;;
esac
exit 0
--
Studying the wan-failover.script, you can see how the peers are routed over
EXT2IF during failover, I could do the same for any active "Mobile Clients" but
have never needed that feature yet.
In summary, Wireguard over IPv4-only establishes a dual stack IPv4/IPv6 private
network 10.4.1.0/24 and IPv6 ULA/48 only using a single wg0 interface.
Constantly connected is the remote AstLinux box and the failover Linode
AstLinux in the cloud. The "Mobile Clients" are remotely initiated using
dynamic endpoints.
Michael, while my personal setup is probably not exactly what you want at a
customer's site, I expect there are some common features.
Lonnie
> On Jan 1, 2019, at 12:53 AM, David Kerr <da...@kerr.net> wrote:
>
> Michael,
> A single wg interface can have multiple IP addresses. They can be
> different subnets too. You will have to manually edit the config files.
>
> David.
>
> On Tue, Jan 1, 2019 at 6:37 AM Michael Knill
> <michael.kn...@ipcsolutions.com.au> wrote:
> Hi group
>
>
>
> Here is my scenario. I have primary and backup Wireguard VPN Peers that
> multiple Astlinux boxes will be connecting to.
>
> I assume that I will need different wgx interfaces for this as I cant have
> the same IP Address.
>
> If so, just wondering how to set this up in Astlinux?
>
>
>
> Regards
>
> Michael Knill
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
