FR: interface ListenAddress (Aka:Multihomed server issue)

Jan De Landtsheer jan at delandtsheer.eu
Thu Aug 10 11:13:46 CEST 2017


Jason,
To elaborate on
https://lists.zx2c4.com/pipermail/wireguard/2017-August/001598.html, there
is something that can be clarified …

I have a multihomed server (our router for everything) attached to a core
switch with vlans, and the router runs openvswitch (but that’s besides the
point).

We run a bunch of wg peers, interconnected to each other (30 or so), but
most connect directly to our router.

The router has an Uplink interface with a /30 and I use that interface
solely to forward packets to our (bgp routed) default gw (Provider).

On the same router, I have a Public Interface, also with a public IP (/24)
and have on the router itself some IP addresses used for DNAT, and here
specifically one for Wireguard. (so NOT the Uplink IP address)

When wireguard clients connect, their config shows their peer to be the
Uplink IP address instead of the IP on the Public interface that was
specifically assigned for wireguard (wgsrv), and as such packets sent to
the Uplink IP address were dropped by the firewall.

You might say: open up the port for wireguard on the Uplink and off you go.
Which I did, to solve my immediate problem. (still find it ugly)

But no we’re getting a second provider in da house, that will be connected
the same way as the other, with that link being Uplink2. So now I *really*
need my bgp routed Public IP address to be the sole answering wireguard IP
packets, so that I can be sure that if one of my bgp peers dies, the same
Public ip address is used by the clients, not the one wireguard deduces
from the subnet with the default route.

Now, wireguard will use the incoming UplinkX ip as source and advertise it
to the clients connected through either one that has the same metric and
routing policy

Voila… in a nutshell ;-)

Jan
​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20170810/1ed99475/attachment.html>


More information about the WireGuard mailing list