Thank you all for your replies. Actually, I did not know that providing seamless switching VPN solutions is so problematic. If it can't be done in a simple way, then it doesn't have to be seamless at any cost. Users will manually reconnect to this VPN when CARP does switchover and there will be no drama.
I am currently using IPSEC/L2TP, but I do not insist on switching to wireguard. IPSEC/L2TP simply works smoothly on win10/11/mac. About 2020 I switched IKEv2 to IPSEC/L2TP when my CA certificate expired and I couldn't cope with updating it to get a VPN back to work. It was a pandemic, and everybody worked remotely. Then I quickly switched IKEv2 to IPSEC/L2TP to allow users to work remotely again, and so it remains to this day. Maybe it's time to replace IPSEC/L2TP with other/newer VPN solution - on the occasion of CARP deployment. All I need is a highly secure VPN solution for win10/win11/mac. I have a dozen very non-technical remote users and this VPN just has to always work when they click CONNECT. That's what I got with IPSEC/L2TP. I also need to assign to users static IP addresses per user - if I remember that IKEv2 assigned to users random addresses from the entire VPN pool and I couldn't cope with IP/user assignment. Any suggestions - what to choose and how to configure it will be welcome. Replication is therefore not a priority. Radek On Thu, 30 May 2024 08:23:35 -0000 (UTC) Stuart Henderson <stu.li...@spacehopper.org> wrote: > On 2024-05-29, Vitaliy Makkoveev <o...@bsdbox.dev> wrote: > > He wants replication. This means both wireguard "servers" know the client > > state. No client reconnection at failure, no delay, seamless migration > > from failed node to the backup. Something like sasyncd(8), but for > > npppd(8) or wg(4). > > wireguard doesn't have a "reconnection" in the way IKEv2+MSCHAP or > IKE+L2TP do, the user doesn't have to do anything, so as long as peers > are configured on all carp members it should be fairly seamless. > > It doesn't care about IP addresses as long as one end can get packets > through to the other's last known address. > > (Reason for ifstated would be to stop any carp backup machines from > trying to send wireguard packets and confusing things.) > >