Fail-over site-to-site Wireguard with two WANs on one site

pancakes · January 23, 2023, 5:18pm

Hello,

I have a site-to-site Wireguard configuration between OpenWRT and PFsense. OpenWRT has only one WAN. Recently I've added a second WAN (LTE) to the PFsense for failover.

I'd like to configure Wireguard in the OpenWRT to take advantage of the two WANs. Meaning, when WAN1 on the PFsense fails, OpenWRT should switch the WG tunnel to the WAN2. If WAN1 comes back online, WRT should switch the tunnel back.

However, is it possible to do so without changing IP Addresses of the tunnel and Allowed IPs in the peer configuration. Only the Endpoint host would change, because of course the two WANs one the PFsense have different IPs.

Can it be done by adding a second WG interface in the WRT and setting gateway metric? But then if Allowed IPs are the same on both WG interfaces, WRT wouldn't allow to create the same routes for both of them, would it?
Would policy-based routing work in this situation?
Maybe a better solution would be to configure WRT WG as a "server" without endpoint IP and PFsense as a client with WRT's IP as a endpoint? Then PFsense would handle WG failover.

trendy · January 23, 2023, 7:45pm

You can set up 2 wg tunnels and prioritize them with interface metric. However it will not understand that the other end is not working to retract the routes. You'd need some connectivity probing. PBR can decide which tunnel to use but by itself cannot probe if the tunnel is alive.
The third option looks more feasible, as long as PFSense will be able to change the uplink used accordingly.

pancakes · February 7, 2023, 5:46pm

Number 3 it is.

system · February 17, 2023, 5:46pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.