Hi Michael, Yes, you can use OpenVPN and WireGuard at the same time, no problem. I do.
WireGuard is much faster / more efficient than OpenVPN, mostly since it resides in the kernel and can use multiple cores. Here are some benchmarks I posted to the WireGuard mailing list: https://lists.zx2c4.com/pipermail/wireguard/2017-December/002204.html There are user-space implementations of WireGuard, written in Golang, starting to appear for testing, but for non-Linux endpoints I would stick with OpenVPN for now. BTW, I currently have WAN Failover on my production AstLinux box using the Netgear LB1121 4G/LTE over WireGuard VPN to a Linode KVM running AstLinux. Working is dual stack IPv4/IPv6 failover for the AstLinux box itself and any internal network of my choosing. I have outbound Asterisk failover working, but that is still a work in progress, not sure the best method yet. Lonnie > On May 28, 2018, at 5:03 AM, Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: > > Hi group > > Im ready to do some testing. > I have a number of sites that are set up as OpenVPN Servers. Should there be > any issues using Wireguard as well? > PS I just looked up Wireguard and I cant believe the difference in benchmarks > to Open VPN. That's crazy! > > Regards > Michael Knill > > On 24/5/18, 9:23 am, "Michael Knill" <michael.kn...@ipcsolutions.com.au> > wrote: > > Thanks Lonnie. I don't have a specific scenario yet but handy to know its > possible. > > Regards > Michael Knill > > On 24/5/18, 8:54 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote: > > Michael, > >> So are you saying that you can configure a second external interface and the >> associated routing to it with the Failover Tab but just leave Failover >> disabled? > > Yes, "External Failover Destination Routes:" automatically defines > static routes, automatically removed and added for DHCP changes. > > >> If so, I assume it uses the same EXT firewall rules? > > Yes. There is a way to treat EXTIF and EXT2IF firewall rules > differently, but the same is usually OK. > > Lonnie > > > >> On May 23, 2018, at 5:17 PM, Michael Knill >> <michael.kn...@ipcsolutions.com.au> wrote: >> >> Hi Lonnie >> >> So are you saying that you can configure a second external interface and the >> associated routing to it with the Failover Tab but just leave Failover >> disabled? >> If so, I assume it uses the same EXT firewall rules? >> >> Regards >> Michael Knill >> >> On 22/5/18, 8:59 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote: >> >> Hi Michael, >> >>> I noticed you also pass the VPN traffic to the site LAN >> >> Yes, I tried to implement the general case, easy to remove stuff. >> >>> the VPN would normally just be used for voice traffic and management only. >> >> In that case "External Failover Destination Routes: IPv4 Routes:" could >> define all the destination routes you need without "Failover" enabled ... >> and let Asterisk dynamically choose the SIP route. Handling inbound calls >> over the 4G/LTE VPN would also be possible. >> >> >> All seems to work well, the only fundamental issue may be the latency of >> 4G/LTE for SIP traffic ... though clearly much better than no traffic. >> >> Lonnie >> >> >> >> >>> On May 21, 2018, at 5:36 PM, Michael Knill >>> <michael.kn...@ipcsolutions.com.au> wrote: >>> >>> Thanks Lonnie you beat me to it. >>> Interestingly one of my partners is using Asterisk as their Softswitch and >>> they were thinking of setting up a single VPN Tunnel to the SoftSwitch for >>> voice traffic and so everything still works on both the primary and >>> failover links. There should be no failover scripts required! >>> >>> I noticed you also pass the VPN traffic to the site LAN but this would not >>> actually be required in practice as the VPN would normally just be used for >>> voice traffic and management only. On all VPN connections that run voice >>> traffic I set directmedia=no in sip.conf. PS I actually now use a >>> directmedia ACL on the VPN subnet so I don't need to configure anything. >>> E.g. >>> >>> directmedia=yes >>> directmediapermit=0.0.0.0/0 >>> directmediadeny=<VPN Subnet> >>> >>> Thanks again Lonnie for testing. Im looking forward to implementing it. >>> >>> Regards >>> Michael Knill >>> >>> On 22/5/18, 6:59 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote: >>> >>> Followup, Enabling Failover using a Netgear LB1121-100NAS (review below): >>> >>> The basic failover configuration is documented here: >>> >>> WAN Failover >>> https://doc.astlinux-project.org/userdoc:tt_wan_failover >>> >>> Since most 4G/LTE providers only support outbound-only (NAT'ed), >>> IPv4-only, dynamic IPv4 address networks, any basic failover configuration >>> over 4G/LTE must deal with those constraints. >>> >>> But, there is another way ... >>> >>> Enhanced WAN Failover using WireGuard: >>> >>> If you are able to run a second AstLinux instance (or most any distro with >>> WireGuard) on a static IPv4 address you can establish an always-up >>> WireGuard VPN over the 4G/LTE connection. When idle the VPN consumes less >>> than 0.5 MB/day of data. >>> >>> With this setup, both IPv4 and IPv6 can be supported as well as allowing >>> inbound traffic to the failover. When failover occurs, all the IPv4/IPv6 >>> traffic is sent over the WireGuard VPN to the "Static" WireGuard endpoint. >>> >>> To be clear, while the WireGuard VPN is established over IPv4-only, the >>> tunnel can simultaneously transport IPv4 and IPv6. >>> >>> Example: >>> >>> AstLinux "4G/LTE": Cable/DSL Modem on external interface and 4G/LTE Modem >>> on failover interface. >>> -- >>> Internal 1st LAN IPv4: 192.168.101.1/255.255.255.0 >>> Internal 1st LAN IPv6: fda6:a6:a6:d2::1/64 >>> WireGuard IPv4: 10.4.1.10/255.255.255.0 >>> WireGuard IPv6: fda6:a6:a6:ff::10/64 >>> IPv6 ULA/NPTv6: fda6:a6:a6::/56 >>> >>> AstLinux "Static": Static IPv4 (or IPv4/IPv6) on external interface. >>> -- >>> Routable Public IPv4: 1.2.3.4 >>> WireGuard IPv4: 10.4.1.1/255.255.255.0 >>> WireGuard IPv6: fda6:a6:a6:ff::1/64 >>> IPv6 ULA/NPTv6: fda6:a6:a6::/56 >>> >>> >>> == AstLinux "4G/LTE" Endpoint Configuration >>> >>> Network tab -> WireGuard Configuration: >>> Tunnel Options: >>> IPv4 Address: 10.4.1.10 >>> IPv4 NetMask: 255.255.255.0 >>> IPv6/nn Address: fda6:a6:a6:ff::10/64 >>> >>> -- /mnt/kd/wireguard/peer/wg0.peer snippet -- >>> [Peer] >>> ## 4G/LTE Endpoint >>> PublicKey = <For Static Endpoint> >>> Endpoint = 1.2.3.4:51820 >>> AllowedIPs = 0.0.0.0/0, ::/0 >>> PersistentKeepalive = 25 >>> -- >>> >>> Network tab -> WAN Failover Configuration: >>> WAN Failover: >>> Failover: [enabled] >>> Secondary Gateway IPv4: 10.4.1.1 >>> Secondary Gateway IPv6: fda6:a6:a6:ff::1 >>> >>> External Failover Interface: >>> Connection Type: [DHCP] >>> >>> External Failover Destination Routes: >>> IPv4 Routes: 192.168.5.0/24 1.2.3.4 >>> >>> >>> Network tab -> Firewall Configuration: >>> Firewall Options: >>> _x_ Allow WireGuard VPN tunnel to the [1st] LAN Interface(s) >>> >>> >>> == AstLinux "Static" Endpoint Configuration >>> >>> Network tab -> WireGuard Configuration: >>> Tunnel Options: >>> IPv4 Address: 10.4.1.1 >>> IPv4 NetMask: 255.255.255.0 >>> IPv6/nn Address: fda6:a6:a6:ff::1/64 >>> >>> >>> -- /mnt/kd/wireguard/peer/wg0.peer snippet -- >>> [Peer] >>> ## Static Endpoint >>> PublicKey = <For 4G/LTE Endpoint> >>> AllowedIPs = 10.4.1.10/32, 192.168.101.0/24, fda6:a6:a6:ff::10/128, >>> fda6:a6:a6:d2::/64 >>> -- >>> >>> -- /mnt/kd/rc.conf.d/user.conf snippet -- >>> NAT_FOREIGN_NETWORK="192.168.101.0/24" >>> -- >>> >>> == >>> >>> I personally tested this scenario and it worked as expected. >>> >>> Note that one AstLinux "Static" server can support many remote failover >>> AstLinux "4G/LTE" boxes. >>> >>> Tip: if you have shell access to AstLinux "Static", 'ssh root@10.4.1.10' >>> will access AstLinux "4G/LTE" over the VPN connection, regardless if >>> failover is active. >>> >>> Lonnie >>> >>> >>> >>> >>> >>> ================================== >>> Per a post by Michael Knill "4G backup" I purchased a Netgear >>> LB1121-100NAS (North America) supporting PoE and includes a power adapter. >>> >>> LTE Modem LB1120 and LB1121 User Manual >>> https://www.downloads.netgear.com/files/GDC/LB1120/LB112x_UM_EN.pdf >>> >>> Overall, I'm pleased with the LB1121, the PoE is good to have, makes easy >>> positioning for good reception. >>> >>> I also tested the Netgear 6000450 MIMO Antenna, it can add 1-bar, but with >>> no antenna and 4 out of 5 bars sitting on the lab bench I was able to get >>> 90/20 Mbps (down/up) on a speed test. >>> >>> If a person were to mount the modem on a wall next to a window, the >>> antenna would be useful to reach over and place on the glass. >>> >>> I tested with "Ting" a MVNO (Mobile Virtual Network Operator) for >>> T-Mobile's GSM network. I ordered a GSM SIM card from Ting, the Netgear >>> LB1121 comes with an empty SIM slot. >>> >>> I connected the Netgear LB1121 to a spare ethernet interface, Network tab >>> -> Failover Interface: [eth2] and also ... >>> -- Network tab -> WAN Failover Configuration: -- >>> External Failover Interface: >>> Connection Type: [DHCP] >>> >>> External Failover Destination Routes: >>> IPv4 Routes: 192.168.5.0/24 >>> -- >>> If you change the LB1121's IPv4 address, also change the above IPv4 >>> Routes: as this is required when the LB1121 is set to "Bridge Mode". >>> Note: WAN Failover is disabled at this point in time. We are now simply >>> defining a 2nd external interface. >>> >>> With Ting I needed to edit the APN ... >>> -- >>> Ting (GSM) T-Mobile >>> APN: wholesale >>> -- >>> and the LB1121 easily allows for that via the web interface, which >>> defaults to http://192.168.5.1 >>> >>> Firmware updates are via the web interface, but you must have a SIM card >>> activated and installed to perform an upgrade over the GSM network. >>> >>> Web interface password changes don't ask for a match, so a typo requires a >>> reset to factory defaults to fix it. But overall, the web interface is >>> nicely done. >>> >>> After I got the LB1121 configured as desired, working, and firmware >>> upgraded, I then switched to "Bridge Mode", depending on your 4G/LTE >>> carrier your DHCP will acquire a publicly routable IPv4 address or an >>> address that looks public but is actually behind NAT. >>> BTW: Ting/T-Mobile uses odd "private" address ranges like 25.0.0.0/8 (UK >>> Ministry of Defense) and 100.128.0.0/9 (T-Mobile), they look publicly >>> routable, but they are NAT'ed to a different public address :-( >>> >>> On a PoE 802.3af switch, the LB1121 draws 1.1 Watts, cool to the touch. >>> >>> The main issues are the 4G/LTE networks, the Ting MVNO for T-Mobile is >>> IPv4 only, and NAT'ed even when in bridge mode. So a true failover is >>> difficult to do, but by limiting your failover requirements this can still >>> be useful. Below is one such technique using WireGuard VPN. >>> >>> I have a test AstLinux box talking to my main AstLinux box over WireGuard >>> over 4G/LTE ... works nicely. Though "PersistentKeepalive = 25" is >>> required to deal with the NAT and dynamic addressing. >>> >>> FYI: Interestingly, the WireGuard overhead even with a keepalive every 25 >>> seconds results in 454 KB/day of data, which at $10/GB is only 0.00454 >>> $/day. >>> >>> == Dynamic 4G/LTE Modem Endpoint >>> >>> -- WireGuard IPv4 10.4.1.10/255.255.255.0 -- >>> [Peer] >>> ## 4G/LTE Endpoint >>> PublicKey = <For Static Endpoint> >>> Endpoint = 1.2.3.4:51820 >>> AllowedIPs = 10.4.1.1/32 >>> PersistentKeepalive = 25 >>> -- >>> >>> -- Network tab -> WAN Failover Configuration: -- >>> External Failover Interface: >>> Connection Type: [DHCP] >>> >>> External Failover Destination Routes: >>> IPv4 Routes: 192.168.5.0/24 1.2.3.4 >>> -- >>> >>> == Static IPv4 1.2.3.4 Endpoint >>> >>> -- WireGuard IPv4 10.4.1.1/255.255.255.0 -- >>> [Peer] >>> ## Static Endpoint >>> PublicKey = <For 4G/LTE Endpoint> >>> AllowedIPs = 10.4.1.10/32 >>> -- >>> >>> iperf3 test across the VPN ... >>> >>> 4G/LTE ~ # iperf3 -s >>> >>> Static ~ # iperf3 -c 10.4.1.10 -u >>> Connecting to host 10.4.1.10, port 5201 >>> [ 5] local 10.4.1.1 port 37415 connected to 10.4.1.10 port 5201 >>> [ ID] Interval Transfer Bitrate Total Datagrams >>> [ 5] 0.00-1.00 sec 128 KBytes 1.05 Mbits/sec 96 >>> ... >>> [ 5] 9.00-10.00 sec 128 KBytes 1.05 Mbits/sec 96 >>> - - - - - - - - - - - - - - - - - - - - - - - - - >>> [ ID] Interval Transfer Bitrate Jitter Lost/Total >>> Datagrams >>> [ 5] 0.00-10.00 sec 1.25 MBytes 1.05 Mbits/sec 0.000 ms 0/959 (0%) >>> sender >>> [ 5] 0.00-10.16 sec 1.25 MBytes 1.03 Mbits/sec 2.543 ms 0/959 (0%) >>> receiver >>> >>> >>> Typical ping times: 100-400 ms >>> >>> Note that without the VPN there would be no way to reach "4G/LTE" from >>> "Static" with the network NAT issues described above. >>> >>> So with a Netgear LB1121 4G/LTE Modem, by using this WireGuard VPN >>> technique on the "Failover Interface" (2nd External) your public server on >>> 1.2.3.4 will be able to access a remote AstLinux box via 4G/LTE. >>> >>> >>> Lonnie >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Astlinux-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> pay...@krisk.org. >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Astlinux-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> pay...@krisk.org. >> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
