Wireguard and ha setup keepalived routing problem?

I have created a high availability (ha) setup with two OpenWRT router by using keepalived following the wiki: (https://openwrt.org/docs/guide-user/network/high-availability)
This article is not covering VPN connections and as I did not find how to make my Wireguard interface ha I just stop it on the backup device.
I have a LAN subnet and a Wiregurard subnet
The Wireguard setup is working as expected that means I can access all devices in my LAN subnet from my Wireguard clients.
Except for one device, the backup router, which is not reachable from a Wireguard client. The main router has (and VIP) and the backup router has

Now I am stuck on this and look forward for some advice as my only assumption is that I need some special routing to access the backup router.

I found the solution by the help of a friend who pointed me to the idea that a route from the backup router to the wireguard network was missing.

What I did was adding a static route for my lan interface with Target and as Gateway I used my VIP of the lan interface (route type = unicast).

Such setups are usually built with a dynamic routing protocol like ospf or bgp.
Keepalived (which is using vrrp) is normally used for gateway addresses or service addresses.

Thanks for your input _bernd. So you mean if you want to have Wireguard ha than VRRP is not the way to go, correct?

Yes. If you have for i.e. a site to site vpn, and each site has 2 routers. You would just setup Wireguard from each router to the other 2 on the other site to get redundant connection. Ospf or bgp is then used to selecting the best route/path.
However, to get the local traffic hit the active gateway router you use vrrp with keepalived to move the gateway address between the 2 routers on a site...

Edit: but you have to either sync the firewall connection state between the 2 routers per site or ensure that the active gateway (vrrp master) is also the router with the best path metric to the other site... But that's not uncommon to configure/implement. But most people consider this advanced networking :wink: but it is achievable and not thaaaat hard to configure.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.