I currently manage two locations. My first has a 100/20mbps unmetered connection with a static IP address. The second has a 4G cellular connection, behind a CGNAT. This connects to the first location using a site to site WG tunnel, using the first location's static IP address.
I'm contemplating moving the first location to an unmetered symmetrical 1gbps FTTP connection, behind CGNAT. To maintain my connectivity, I'm planning to run an L2TP connection to AAISP over the fibre connection. That will give me a (pretty generous) metered and speed limited connection with static IP addresses. I could obviously just move my WG tunnel to run via the AAISP connection, but I would like to maintain it's unmetered nature if possible.
So ... what I'm trying to understand is whether there is any way to set up the WG tunnel at my first location so that when the inbound connection is received from my second location, on the AAISP interface with the static IP address, the tunnel is established and then moved to the "other" interface, allowing the WG tunnel to continue across the unmetered fibre connection, between the two CGNATed endpoints.
I think I'm going to need PBR anyway, so I'm wondering about some kind of routing magic?
I hope I've explained that clearly enough. Has anyone managed to get something like this working, and able to explain how to make it work, or alternatively if it's definitively not possible.
If I understand your goal properly, one site will always use a 4G cellular connection that is metered. And your goal is to attempt to avoid the metering from that site? Do I have that all correct?
Assuming that is the case, the answer is simple -- No. It's not possible to avoid the metering from the 4G site. The protocol doesn't affect the metering -- they simply look for the traffic flow in/out of your 4G modem (on their side). They count the bytes... simple as that.
No, sorry, this is quite hard to explain ... hopefully this clarifies
The cellular connection at my second location is (in practical terms) unmetered. What I am trying to avoid is the WG tunnel using significant quantities of the metered AAISP L2TP connection that would be running over the (also unmetered) FTTP connection at my first location.
The way things work at the moment is that the WG tunnel operates in a client-server manner. The router with the cellular connection (behind CGNAT) establishes the tunnel to the router with the wired connection and static IP address. That tunnel seems to survive any subsequent changes to the IP address at the CGNATed cellular end of the connection (which makes me think enough information is being transferred in the WG protocol to enable changes to the underlying "carrier" IP addresses to be propagated smoothly from one participant to it's peer)
So what I'm trying to understand is whether there is a way to configure the "server" end of the WG tunnel (or its environment, in terms of routing rules etc) so that the cellular end can establish the WG tunnel on the static IP address associated with the AAISP connection on the "server", but then be pushed onto the underlying unmetered FTTP "carrier" interface on the "server", avoiding the AAISP L2TP connection, even though that FTTP interface does not have a static IP address, and will be behind CGNAT too.
Oh that looks very interesting! The wiki seems to be hinting that you can negotiate a mesh of WG connections, including ones between CGNATed endpoints, as long as somewhere in the mesh there is a server with a static IP address. Which would be my case (albeit the mesh would only be two machines). Thank you - I'll go read some more, but agree the documentation does look a bit sparse
If anyone has any other (simpler or more fully documented!) suggestions, please feel free to add them!
It sort of is ... the only network I will have that has a static IP, and that isn't CGNATed, will be metered. I accept I will need to use that network to establish the tunnel, but it would be really nice if the tunnel that I establish avoids that metered network, and uses the unmetered CGNATed one instead!
If both sites have IPv6 connectivity, that would be the easiest approach for the tunnel.
(I have cgNAT with a semi-static /56 IPv6 prefix at home, my roadwarrior wireguard setup there only works over IPv6 - which tends to (mostly) work for me (my mobile ISP has IPv6 connectivity, so as long as I use my own phone it's all fine, WLAN hotspots, guest networks, or international roaming would be another topic).
Definitely look into IPv6. If that will not work and you have to forward with a third party I have used Zerotier. They don't "meter" i.e. charge money if the only way to make a connection is to forward through them (though the system is usually successful at punching holes in CGNAT) but they may temporarily deny forwarding if you move gigabytes per day.
Thanks @slh and @mk24 ... I should have mentioned that there is no IPv6 in location two. Sadly none of the UK cellular operators provide IPv6; they all issue you with just a short-lease CGNATed IPv4.
