How do I route two wireguard interfaces to same server and port?

karlic · December 18, 2023, 3:13pm

I have two wireless connections one on interface wwan0 and one on interface wwan1.
I have two wireguard interfaces wg0 and wg1 with connected to ProtonVPN.
Unfortunately, Proton only allows the use of one server on a single IP address AND only allows the WG interface to use 10.2.0.2/32.
I have got round the 10.2.0.2/32 issue by setting the WG interfaces to 10.0.0.2/32 and 10.1.0.2/32 and using:

config nat


        option target 'SNAT'
        option src_ip '10.0.0.2'
        option snat_ip '10.2.0.2'
        option src 'wwan'
        option enabled '1'

config nat
        option target 'SNAT'
        option src_ip '10.1.0.2'
        option snat_ip '10.2.0.2'
        option src 'wwan'
        option enabled '1'

in /etc/config/firewall
My problem is that all the encrypted traffic goes to Proton via only one of the wwan0/wwan1 interfaces.
I've tried option tunlink wwan0 and option tunlink wwan1, but that just creates two routes to Proton and doesn't help.
I've tried setting a metric on wwan0 and wwan1 and using mwan3 to balance Proton traffic across wwan0 and wwan1, but that's not possible as there is only one ip address.
I've tried SNATing, but I don't think that'll work with an external ip address.
I've tried setting a fwmark on wg0 and wg1 and using that to point to a routing table, but I couldn't get that to work.

Has anyone managed to get something like this working in the past?

Thank you.

psherman · December 18, 2023, 4:13pm

What are you hoping to achieve by setting up 2 simultaneous wireguard interfaces that connect to the same server?

karlic · December 18, 2023, 7:28pm

Hi psherman

The router has a 2.4Ghz and a 5Ghz aerial. Each aerial connects to an ISP and provides a local Wi-Fi network. I want to load balance across the two aerials/ISPs. I also want VPN.

My understanding is that I can't load balance one VPN connection across two ISPs as the source IP address would keep changing.

So, I need two VPN connections. Since I've paid Proton for up to 5 connections, I'd rather not pay another VPN provider.

I've successfully load balanced across wg0 and wg1 with mwan3 using the SNAT 'hack'.

Thank you.

psherman · December 18, 2023, 7:39pm

Great. So does that mean your issue is solved?

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

karlic · December 19, 2023, 12:54pm

No, sorry it's not resolved. wg0 and wg1 are balanced, but the encrypted traffic still only goes trhough one of wwan0 and wwan1.

So I still need to balance wwan0 and wwan1. I think you can see the problem here:

ip route show
default via 192.168.0.1 dev phy0-sta0 proto static src 192.168.0.19 metric 10 
default via 192.168.1.1 dev phy1-sta0 proto static src 192.168.1.4 metric 11 
default dev wg0 proto static scope link metric 100 
default dev wg1 proto static scope link metric 101 
10.0.0.2 dev wg0 proto static scope link metric 100 
10.1.0.2 dev wg1 proto static scope link metric 101 
XXX.XX.XXX.XX via 192.168.0.1 dev phy0-sta0 proto static metric 10 
XXX.XX.XXX.XX via 192.168.1.1 dev phy1-sta0 proto static metric 11 
192.168.0.0/24 dev phy0-sta0 proto static scope link metric 10 
192.168.1.0/24 dev phy1-sta0 proto static scope link metric 11 
192.168.100.0/24 dev br-lan proto kernel scope link src 192.168.100.1

There are two routes to the same ip address at Proton (XXX.XX.XXX.XX and this is the only address they allow us to use)

(wwan0 and wwan1 are on the aerials phy0-sta0 and phy1-sta1.)