Wireguard tunnel over mwan3

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello everyone, I'm Stefano from Italy, a Software Engineer passionate about networking.

I have an openwrt router with 3 interface configured: one for LAN and two for WAN (the WAN interfaces are physically connected to two ISP routers).

I recently configured mwan3 in order to have automatic failover (not load balancing) over the second WAN if the first one stops working, and it's working fine.

Now, I want to route all my traffic over VPN using the wireguard protocol. I have installed all the wireguard-related packages and configured the link.
In mwan3 i have created 2 rules:

  1. Route traffic to the egress wireguard endpoint through the failover policy.
  2. Route all other traffic (0.0.0.0/0) through the wireguard interface

It seems to work ok, but when the main WAN goes off, the tunnel stops working.

What is the best way to configure a wireguard tunnel over a faileover (or load balanced) mwan3 setup?

Thank you!

2

I have got it to work by setting the metric 21 and 22 on my WAN connections, then I have set metric to 11 on my Wireguard interface

3

I had some initial problems if the connection with metric 21 went down and then up again, the Wireguard tunnel needed to be reestablished. I made script that was run with some delay👍🏻

4

I have solved it!
Here is the solution for others:

  1. set the wireguard interface with a higher metric then the real wan interfaces in "network > interfaces" (example main wan = 10, other wan = 20, wireguard = 30)
  2. setup the 3 interfaces (main wan, other wan, wireguard) in "network > multiwan manager > interface" and the 3 members in "network > multiwan manager > member". The trick here is to set the "Flush conntrack table" option to both "connected" and "disconnected" for the two real wan interfaces.
  3. setup a real policy for the 2 real interfaces (failover or loadbalanced. i only tested failover) and a dummy policy for the wireguard interface in "network > multiwan manager > policy"
  4. this is the second trick: create a first rule that routes all traffic with the destination address of your wireguard peer (vpn endpoint) to the failover policy, then create a second rule that routes all traffic (destination address 0.0.0.0/0) to the dummy wireguard policy
  5. finally, set a keepalive interval for your peer in "network > interfaces > wireguard interface > peer" (for example 10 seconds)

Now, when my router boots, the wireguard tunnel is enstablished through the main wan. As soon as the main wan goes down, within a minute (you can tune the mwan3 parameters to shorten this interval) the tunnel is re-enastablished through the backup wan. When the main wan goes back, within a minute the tunnel is re-enstablished through the main wan.

Thank you!

5

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.