Wireguard -- failover & watchdog/

I have a fast and stable openWRT router setup with VPN policies and several Wireguard interfaces.

I faced a concerning issue lately, my normally reliable VPN provider started taking servers down and updating the software in prime time, without announcing the service windows. So nobody knew when and what was coming.

Such operational policy is not compatible with an advanced setup with many people working behind the firewall.

Questions:

  1. any ideas to make a failover solution .... having operational stability as 1st priority, it could be a swap to WAN and back, in case of Wireguard server dropouts. Just to give you an idea.

  2. I have the Wireguard watchdog running .... I did not see any dog during the issue above, what does the dog actually do?

  3. Any Wireguard VPN provider recommendations - reliable, predictable and with proper operational policies.

Let me have your thoughts .... thanks :slight_smile:

You could use Cloudflare's WARP if looking for reliable Wireguard backhaul (a WAN).

For management networks and such you could run your own wireguard instance on a cloud provider and then route only specific subnets through that.

Then to get automatic WAN failover so your watchdog just brings up/down your wireguard WAN, use network interface prioritization i.e. (This is an LTE first scenario)

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option metric '100'

config interface 'lte'
	option device 'usb0'
	option proto 'dhcp'
	option metric '99

You can use this tool to generate WARP (or WARP+) configuration that can be imported to your routers.

WGCF - https://github.com/ViRb3/wgcf

Sample imported configuration.

config interface 'warp'
	option proto 'wireguard'
	option mtu '1280'
	option private_key '<XXXX>'
	list addresses '<XXXX>'

config wireguard_warp 'warp-cf'
	option public_key '<XXXX>'
	option endpoint_host 'engage.cloudflareclient.com'
	option endpoint_port '2408'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/5'
	list allowed_ips '8.0.0.0/7'
	list allowed_ips '11.0.0.0/8'
	list allowed_ips '12.0.0.0/6'
	list allowed_ips '16.0.0.0/4'
	list allowed_ips '32.0.0.0/3'
	list allowed_ips '64.0.0.0/2'
	list allowed_ips '128.0.0.0/3'
	list allowed_ips '160.0.0.0/5'
	list allowed_ips '168.0.0.0/6'
	list allowed_ips '172.0.0.0/12'
	list allowed_ips '172.32.0.0/11'
	list allowed_ips '172.64.0.0/10'
	list allowed_ips '172.128.0.0/9'
	list allowed_ips '173.0.0.0/8'
	list allowed_ips '174.0.0.0/7'
	list allowed_ips '176.0.0.0/4'
	list allowed_ips '192.0.0.0/9'
	list allowed_ips '192.128.0.0/11'
	list allowed_ips '192.160.0.0/13'
	list allowed_ips '192.169.0.0/16'
	list allowed_ips '192.170.0.0/15'
	list allowed_ips '192.172.0.0/14'
	list allowed_ips '192.176.0.0/12'
	list allowed_ips '192.192.0.0/10'
	list allowed_ips '193.0.0.0/8'
	list allowed_ips '194.0.0.0/7'
	list allowed_ips '196.0.0.0/6'
	list allowed_ips '200.0.0.0/5'
	list allowed_ips '208.0.0.0/4'
	list allowed_ips '1.1.1.1/32'

Interesting, I'll take a look at Warp