Community discussions

MikroTik App
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Wireguard failover (?)

Mon Apr 25, 2022 11:51 am

Hello everyone,

I recently rebuild my local network and my remote network:
HQ: ISP -> Mikrotik (internet border router) -> 2x OPNsense as HA configuration with CARP -> LAN
Remote: ISP -> Mikrotik -> LAN

On both places I am using Wireguard as VPN connection and so far it works pretty out of the box.
As soon as I initiate a failover on OPNsense the Wireguard connection is down - which is in general okay as the 2nd OPNsense firewall will take over - but unfortuantely it seems that my remote Mikrotik router does not reinitialise the VPN connection.
Keepalive is configured on remote site with 10 seconds.

I have another remote location where I am using a Turris router (modified OpenWRT) and there the failover works as expected.


Anyone able to tell me what to configure?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21478
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard failover (?)

Mon Apr 25, 2022 2:26 pm

See Article Para 6 may apply! - viewtopic.php?t=182340
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: Wireguard failover (?)

Mon Apr 25, 2022 2:35 pm

I am not sure if this might be my reason as I am using a static IP address which is being terminated on my HQ Mikrotik router.
No hostname or dynamic hostnames are being used.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21478
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard failover (?)

Mon Apr 25, 2022 2:49 pm

Not sure there is anything that the MT client can do in your setup. Interesting question though.....
There are some folks here that will give you some ideas......
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: Wireguard failover (?)

Mon Apr 25, 2022 2:52 pm

Hmm maybe something like
"ping 5x" if no ping then restart Wireguard service.

I did not know how to do this via SSH so I just disabled the Wireguard interface and enabled it again but that did not solve my issue.
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: Wireguard failover (?)

Mon Apr 25, 2022 5:08 pm

@anav: May I ask, where to place/use such a script as you have mentioned at para 6?
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard failover (?)

Mon Apr 25, 2022 6:10 pm

Try more details. Is it client to server (= remote is behind NAT and HQ needs to wait until it connects) or peer to peer (any side can initialize connection to the other)? What exactly happens on failover? Does the second machine come up with same IP address and WG listening on same port? If so, it should work.
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: Wireguard failover (?)

Mon Apr 25, 2022 6:21 pm

Try more details. Is it client to server (= remote is behind NAT and HQ needs to wait until it connects) or peer to peer (any side can initialize connection to the other)? What exactly happens on failover? Does the second machine come up with same IP address and WG listening on same port? If so, it should work.
Hello Sob,

it's client to server - so my HQ need to wait for remote to initialise the connection.

On failover the 2nd firewall takes over the virtual IP and is reponsible for handling any traffic to it from WAN site - from an external perspective you should not see any difference as the virtual IP address has also a virtual MAC address which is being shared between both firewalls.
Additional the Wireguard and routing (FRR) service will start on the 2nd service as it recognize that is now the primary firewall.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21478
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard failover (?)

Mon Apr 25, 2022 6:34 pm

Sounds like an HA setup issue. Is there some mac address change somewhere??
If there is no change to destination port or IP address, and if the HQ MT WANIP stays up, not sure what can be done at the client side ???
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: Wireguard failover (?)

Mon Apr 25, 2022 6:42 pm

Sounds like an HA setup issue. Is there some mac address change somewhere??
If there is no change to destination port or IP address, and if the HQ MT WANIP stays up, not sure what can be done at the client side ???
I am also not sure - from a WAN perspective even the MAC address stays the same as any WAN traffic passes my Mikrotik internet border router before HA from my firewalls take over.
Is there any possiblitiy (I haven't done any scripting so far on Mikrotik) to ping from the remote side my HQ within the wg tunnel and as soon as e.g. 5 pings do not work then it should restart the wg service (I think is is done by setting the peer disable and reenable it)?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21478
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard failover (?)

Mon Apr 25, 2022 6:56 pm

Assuming at the MT client device \
a. one does NOT get a public IP address.
b. one CANNOT forward a port on the ISP router to the MT device??
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: Wireguard failover (?)

Mon Apr 25, 2022 7:13 pm

What is also strange:

On my internet border router (= HQ) I cannot see any connections going to the dst port?!
Althought wireguard VPN is up and running and hosts can ping each other.

It's a bit weird?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21478
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard failover (?)

Mon Apr 25, 2022 7:34 pm

Why would you have a destination port on the MT HQ??
It would be a port forward rule from the MT HQ on UDP wireguard port to Server Device??

(unless you have created a static route on the MT HQ, so that remote users exiting HQ for internet, can get back to the Server Device and into the tunnel to go back to MH client device).
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: Wireguard failover (?)

Mon Apr 25, 2022 7:35 pm

It seemed that my OPNsense fw has established a connection with my remote side via a NAT.
I removed the prefilled Wireguard listen-port and let it choose a new random one and after that the connection looks like an incoming VPN client-> server connection which I expect.
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 89
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: Wireguard failover (?)

Mon Apr 25, 2022 9:15 pm

Seems that this was the issue: I don't know why or how but it seems my HQ acted as a client (and not as the server) for wireguard connection.
Now, after I have removed the preconfigured port from Wireguard peer on MT remote it works as expected.

Who is online

Users browsing this forum: abbio90, ahteran, Bing [Bot], brakkenjan, Google [Bot], GoogleOther [Bot], holvoetn and 77 guests