WG load balancing?
Tim Weippert
weiti at weiti.org
Thu May 10 11:36:49 CEST 2018
Hi Matthias,
On Thu, May 10, 2018 at 11:21:44AM +0200, Matthias Urlichs wrote:
> Hello list,
>
> Assume a branch office with two uplinks to the Internet that wants to
> use WG to talk to the main office, using both of these uplinks in
> parallel (assuming they're both up) for better uplink speed (and for
> redundancy if they aren't). Now the obvious idea is to create two WG
> interfaces on each side, and add a couple of firewall rules to make sure
> that packets fwmarked 1 go out on the first uplink, and so on.
>
> That's the easy part. The hard part is how to teach the kernel to load
> balance its default route between the WG interfaces. I tried to use a
> libteam or bonding interface to tie them together, but apparently WG
> isn't Ethernet, so that doesn't work.
>
> I thought about using a GRE tunnel, but tunnels have fixed endpoint
> addresses – somehow I don't think it'd be a good idea to create two
> wireguard interfaces with the same IP address … and I don't really want
> to do heavy-handed address mangling on every packet. Losing all
> connectivity whenever I happen to flush my firewall tables doesn't
> appeal to me.
Maybe you can use some kind of dynamic routing approach here. Use FRR,
Quagga or Bird with e.g. OSPF and ECMP ( Equal Cost Multipath) to utilize
both links. (practically you can also have two default routes with the
same metric and this should do a round robin fashioned loadbalancing)
Additional you get a failover functionality with the dynamic routing, as
one path is lost, it moves to the other one. And you don't need to mark
packets on the firewall level.
> Ideally I would like the kernel's wireguard interfaces to be compatible
> with teaming … any takers?
Can't help with teaming here.
HTH,
tim
--
Tim Weippert
http://weiti.org - weiti at weiti.org
GPG Fingerprint - E704 7303 6FF0 8393 ADB1 398E 67F2 94AE 5995 7DD8
More information about the WireGuard
mailing list