Hello, I'm searching for a way to dynamically add or delete routes when a tunnel comes up or goes down. I do not mean "interface wg0 comes up", but explicitly "tunnel comes up" in the sense that both peers see each other, key exchange has been successful and packets would be transported through the tunnel. The idea behind this is to have redundant tunnels. Let's say a Wireguard client has a preferred server and a secondary server. Packets should be routed through the preferred router while that tunnel is established and through the secondary server when the preferred server is not available for some reason. I could always install Quagga or Bird and use OSPF. But that might be a bit of an overkill for a simple active/passive failover. Is there any way to react on tunnel state events in Wireguard? Regards, Robert
[-- Attachment #1.1: Type: text/plain, Size: 403 bytes --] On 22/11/2021 17:20, Robert Dahlem wrote: > The idea behind this is to have redundant tunnels. Let's say a Wireguard > client has a preferred server and a secondary server. Packets should be > routed through the preferred router while that tunnel is established and > through the secondary server when the preferred server is not available > for some reason. Would route metrics work for this? [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 840 bytes --]
Hi, On 23.11.2021 23:40, Jonathon Fernyhough wrote: >> The idea behind this is to have redundant tunnels. Let's say a Wireguard >> client has a preferred server and a secondary server. Packets should be >> routed through the preferred router while that tunnel is established and >> through the secondary server when the preferred server is not available >> for some reason. > Would route metrics work for this? Yes and no. Metrics do useful things when there are identical prefixes with different metrics over *working* paths. So when both tunnels are up metrics can choose the preferred path. With Wireguard (as far as I understand it) routes exist independently from tunnel state. If the path through the preferred server has a better metric, but doesn't work, the system does not fall back to the path through the secondary server. Metrics work fine when routes are installed/uninstalled dynamically. Say you have a system with LAN connectivity (best metric), Wifi connectivity (medium metric) and mobile (UMTS/LTE) connectivity (worst metric). All of them give you a default route. If all of them are actually connected, the system would use the route through the LAN. As soon as you unplug the LAN cable, the LAN routes disappear and the Wifi routes are selected. Plug the cable back in, the LAN routes reappear and the system uses the LAN route. Yes, metrics would work for this. But only if the routes don't appear before a tunnel comes up and disappear when the tunnel goes down. Regards, Robert
On Mon, 22 Nov 2021 at 18:20, Robert Dahlem <Robert.Dahlem@gmx.net> wrote:
> I could always install Quagga or Bird and use OSPF. But that might be a
> bit of an overkill for a simple active/passive failover.
RIP, OSPF, BGP, EIGRP. Either can work. And would IMO be sufficiently
simple to set up and maintain. Either way, you will need a daemon to
maintain monitoring of the packets being able to flow over the tunnel.
If you select a routing demon or another daemon. ... take a pick.
On 24/11/21 9:48 pm, Chriztoffer Hansen wrote:
> On Mon, 22 Nov 2021 at 18:20, Robert Dahlem <Robert.Dahlem@gmx.net> wrote:
>> I could always install Quagga or Bird and use OSPF. But that might be a
>> bit of an overkill for a simple active/passive failover.
> RIP, OSPF, BGP, EIGRP. Either can work. And would IMO be sufficiently
> simple to set up and maintain. Either way, you will need a daemon to
> maintain monitoring of the packets being able to flow over the tunnel.
> If you select a routing demon or another daemon. ... take a pick.
>
Correct, not the job of Wireguard.
Cheers
Mike
Hi, On 24.11.2021 13:04, Mike O'Connor wrote: > On 24/11/21 9:48 pm, Chriztoffer Hansen wrote: >>> I could always install Quagga or Bird and use OSPF. But that might be a >>> bit of an overkill for a simple active/passive failover. >> RIP, OSPF, BGP, EIGRP. Either can work. And would IMO be sufficiently >> simple to set up and maintain. Either way, you will need a daemon to >> maintain monitoring of the packets being able to flow over the tunnel. >> If you select a routing demon or another daemon. ... take a pick. > Correct, not the job of Wireguard. I can live with that. Thanks for clearing up. Regards, Robert