Development discussion of WireGuard
 help / color / mirror / Atom feed
* Endpoint failover ip
@ 2023-07-31 21:39 Daniel
  2023-07-31 22:27 ` Daniel Gröber
  0 siblings, 1 reply; 4+ messages in thread
From: Daniel @ 2023-07-31 21:39 UTC (permalink / raw)
  To: wireguard

Hello,

I create a hostname with few IPs v4 & v6 for my wireguard server. I 
faced today a problem that after a failure with the ip a customer wg was 
registered, it continue to try to register with this ip insteed to 
fallback to another one.

Is there a way to avoid this problem and to get failover working 
properly with wireguard ?

Thanks for any hint
-- 
Daniel

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Endpoint failover ip
  2023-07-31 21:39 Endpoint failover ip Daniel
@ 2023-07-31 22:27 ` Daniel Gröber
  2023-08-01  8:33   ` Daniel
  0 siblings, 1 reply; 4+ messages in thread
From: Daniel Gröber @ 2023-07-31 22:27 UTC (permalink / raw)
  To: Daniel; +Cc: wireguard

Hi Daniel,

On Mon, Jul 31, 2023 at 11:39:35PM +0200, Daniel wrote:
> I create a hostname with few IPs v4 & v6 for my wireguard server. I faced
> today a problem that after a failure with the ip a customer wg was
> registered, it continue to try to register with this ip insteed to fallback
> to another one.

Your message is hard to parse, but I think you're having the same v4/v6
failover problem as me. See my patch "wg: Support restricting address
family of DNS resolved Endpoint":

  https://lists.zx2c4.com/pipermail/wireguard/2023-February/007961.html

which has yet to get any attention from Jason unfortunately.

The headline is this: wireguard doesn't support multiple endpoints so you
have to be careful with how you setup your host records. At the moment you
can't just throw multiple IPs in there and hope for the best. Wg will stick
to whatever IP the system picks when the tunnel comes up.

> Is there a way to avoid this problem and to get failover working properly
> with wireguard ?

There isn't any wg native solution[1] right now, only hacky
workarounds. You basically need one wg tunnel per unique endpoint but once
you do that routing becomes an issue. Plain static routes wont cut it
anymore. On top of that using an endpoint domain with multiple IPs is a
problem. Things are easier if you stick to one IP per domain or just
hardcode one endpoint IP for each of the many tunnels.

[1]: Supporting multiple active endpoints is where we have to head to fix
this properly IMO, see my recent proposal
https://lists.zx2c4.com/pipermail/wireguard/2023-July/008111.html

Anyway with the many wg tunnels one could then write a script to ping
through the tunnels and switch the appropriate route to the one that
responds. This has to happen at both ends of the tunnel. Me personally, I
just use an easy to setup routing daemon (babeld) to do that.

--Daniel

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Endpoint failover ip
  2023-07-31 22:27 ` Daniel Gröber
@ 2023-08-01  8:33   ` Daniel
  2023-08-01  9:07     ` Daniel Gröber
  0 siblings, 1 reply; 4+ messages in thread
From: Daniel @ 2023-08-01  8:33 UTC (permalink / raw)
  To: wireguard

Hi Daniel

Le 01/08/2023 à 00:27, Daniel Gröber a écrit :
> Hi Daniel,
>
> On Mon, Jul 31, 2023 at 11:39:35PM +0200, Daniel wrote:
>> I create a hostname with few IPs v4 & v6 for my wireguard server. I faced
>> today a problem that after a failure with the ip a customer wg was
>> registered, it continue to try to register with this ip insteed to fallback
>> to another one.
> [...]
> [1]: Supporting multiple active endpoints is where we have to head to fix
> this properly IMO, see my recent proposal
> https://lists.zx2c4.com/pipermail/wireguard/2023-July/008111.html

Yes, that's exactly the problem. Will see with babeld but hope that 
something native can be done in wireguard.

Thanks for your feedback

-- 
Daniel

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Endpoint failover ip
  2023-08-01  8:33   ` Daniel
@ 2023-08-01  9:07     ` Daniel Gröber
  0 siblings, 0 replies; 4+ messages in thread
From: Daniel Gröber @ 2023-08-01  9:07 UTC (permalink / raw)
  To: Daniel; +Cc: wireguard

On Tue, Aug 01, 2023 at 10:33:03AM +0200, Daniel wrote:
> > On Mon, Jul 31, 2023 at 11:39:35PM +0200, Daniel wrote:
> > > I create a hostname with few IPs v4 & v6 for my wireguard server. I faced
> > > today a problem that after a failure with the ip a customer wg was
> > > registered, it continue to try to register with this ip insteed to fallback
> > > to another one.
> > [...]
> > [1]: Supporting multiple active endpoints is where we have to head to fix
> > this properly IMO, see my recent proposal
> > https://lists.zx2c4.com/pipermail/wireguard/2023-July/008111.html
> 
> Yes, that's exactly the problem. Will see with babeld but hope that
> something native can be done in wireguard.

I'm on the babel-users ML (babel-users@alioth-lists.debian.net) if it gives
you any trouble. Getting the filtering setup just right for the VPN
use-case can be a bit daunting if you've never used a routing daemon
before.

    https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users

--Daniel


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2023-08-01  9:10 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-31 21:39 Endpoint failover ip Daniel
2023-07-31 22:27 ` Daniel Gröber
2023-08-01  8:33   ` Daniel
2023-08-01  9:07     ` Daniel Gröber

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).