Hello everyone,

I recently rebuild my local network and my remote network:
HQ: ISP -> Mikrotik (internet border router) -> 2x OPNsense as HA configuration with CARP -> LAN
Remote: ISP -> Mikrotik -> LAN

On both places I am using Wireguard as VPN connection and so far it works pretty out of the box.
As soon as I initiate a failover on OPNsense the Wireguard connection is down - which is in general okay as the 2nd OPNsense firewall will take over - but unfortuantely it seems that my remote Mikrotik router does not reinitialise the VPN connection.
Keepalive is configured on remote site with 10 seconds.

I have another remote location where I am using a Turris router (modified OpenWRT) and there the failover works as expected.


Anyone able to tell me what to configure?

See Article Para 6 may apply! - viewtopic.php?t=182340

I am not sure if this might be my reason as I am using a static IP address which is being terminated on my HQ Mikrotik router.
No hostname or dynamic hostnames are being used.

Not sure there is anything that the MT client can do in your setup. Interesting question though.....
There are some folks here that will give you some ideas......

Hmm maybe something like
"ping 5x" if no ping then restart Wireguard service.

I did not know how to do this via SSH so I just disabled the Wireguard interface and enabled it again but that did not solve my issue.

@anav: May I ask, where to place/use such a script as you have mentioned at para 6?

Try more details. Is it client to server (= remote is behind NAT and HQ needs to wait until it connects) or peer to peer (any side can initialize connection to the other)? What exactly happens on failover? Does the second machine come up with same IP address and WG listening on same port? If so, it should work.

Try more details. Is it client to server (= remote is behind NAT and HQ needs to wait until it connects) or peer to peer (any side can initialize connection to the other)? What exactly happens on failover? Does the second machine come up with same IP address and WG listening on same port? If so, it should work.

Hello Sob,

it's client to server - so my HQ need to wait for remote to initialise the connection.

On failover the 2nd firewall takes over the virtual IP and is reponsible for handling any traffic to it from WAN site - from an external perspective you should not see any difference as the virtual IP address has also a virtual MAC address which is being shared between both firewalls.
Additional the Wireguard and routing (FRR) service will start on the 2nd service as it recognize that is now the primary firewall.

Sounds like an HA setup issue. Is there some mac address change somewhere??
If there is no change to destination port or IP address, and if the HQ MT WANIP stays up, not sure what can be done at the client side ???

Sounds like an HA setup issue. Is there some mac address change somewhere??
If there is no change to destination port or IP address, and if the HQ MT WANIP stays up, not sure what can be done at the client side ???

I am also not sure - from a WAN perspective even the MAC address stays the same as any WAN traffic passes my Mikrotik internet border router before HA from my firewalls take over.
Is there any possiblitiy (I haven't done any scripting so far on Mikrotik) to ping from the remote side my HQ within the wg tunnel and as soon as e.g. 5 pings do not work then it should restart the wg service (I think is is done by setting the peer disable and reenable it)?

Assuming at the MT client device \
a. one does NOT get a public IP address.
b. one CANNOT forward a port on the ISP router to the MT device??

What is also strange:

On my internet border router (= HQ) I cannot see any connections going to the dst port?!
Althought wireguard VPN is up and running and hosts can ping each other.

It's a bit weird?

Why would you have a destination port on the MT HQ??
It would be a port forward rule from the MT HQ on UDP wireguard port to Server Device??

(unless you have created a static route on the MT HQ, so that remote users exiting HQ for internet, can get back to the Server Device and into the tunnel to go back to MH client device).

It seemed that my OPNsense fw has established a connection with my remote side via a NAT.
I removed the prefilled Wireguard listen-port and let it choose a new random one and after that the connection looks like an incoming VPN client-> server connection which I expect.

Seems that this was the issue: I don't know why or how but it seems my HQ acted as a client (and not as the server) for wireguard connection.
Now, after I have removed the preconfigured port from Wireguard peer on MT remote it works as expected.