WireGuard within a WireGuard VPN

[Lonnie Abelbeck]

Hi,

I have successfully implemented a WAN failover using a Netgear LB1121 4G/LTE Modem over a WireGuard tunnel to a VM instance (static IPv4) in the cloud.

Since most 4G/LTE providers only support outbound-only (NAT'ed), IPv4-only, dynamic IPv4 address networks, by using WireGuard to a static IPv4 endpoint a bidirectional dual-stack IPv4/IPv6 network is created.  Works very well.

Question ...

When failover occurs a 0.0.0.0/1 + 128.0.0.0/1 route is added to the wg0 interface via the cloud VM WireGuard address.

There is a secondary WireGuard peer (dynamic remote endpoint) other than the failover 4G/LTE peer, which on failover tries to re-establish over the WireGuard failover peer, which fails.

Possible solutions:

1) On failover add a route for the secondary endpoint (extracted using 'wg') and route to the ethernet interface the 4G/LTE Modem is connected.  Fingers crossed the dynamic remote endpoint does not change during the failover.

2) Possibly reduce the MTU of the secondary WireGuard peer to allow it to work within the WireGuard failover peer.  If so, what MTU would be required for WG to tunnel within another WG ? Possibly would require separate wg0 and wg1 interfaces for matching MTU's ?

Appreciate any comments.

Lonnie