Hi Michael, I seem to recall discussing this before, but why the 3 separate /24 networks requiring a rc.elocal rather than one /22 network set by the WG configs ?
# netcalc 172.29.200.1/22 Address : 172.29.200.1 10101100.00011101.110010 00.00000001 Netmask : 255.255.252.0 = 22 11111111.11111111.111111 00.00000000 Wildcard : 0.0.3.255 00000000.00000000.000000 11.11111111 => Network : 172.29.200.0/22 10101100.00011101.110010 00.00000000 HostMin : 172.29.200.1 10101100.00011101.110010 00.00000001 HostMax : 172.29.203.254 10101100.00011101.110010 11.11111110 Broadcast: 172.29.203.255 10101100.00011101.110010 11.11111111 Hosts/Net: 1022 Class B, Private network (RFC1918) Other than that, with only a quick glance, it looks like you understand the elegance of WireGuard. Also I see you noted: -- # No keepalive required as SIP Options ping will keep it up -- which is probably just fine, though there is not much added overhead if "PersistentKeepalive = 25" is also set possibly on the remote non-"SIP Options ping" peer, just something to file away in your mind. Lonnie > On Jun 7, 2019, at 8:57 PM, Michael Knill <michael.kn...@ipcsolutions.com.au> > wrote: > > Hi Group > > I would like to bring this up again as I have begun development of a transit > switch for my customers (using Astlinux). > The architecture will be both a primary and secondary server for the transit > switch with regular synchronisation from Primary to Secondary. Both will have > trunks to my upstream SIP provider with active/active redundancy. > All customer Astlinux boxes will connect via Wireguard VPN as a client to 3 > servers being Primary Transit, Secondary Transit and a Management server (I > would rather not manage through the Transit servers). The customer Astlinux > box could also be a VPN server for other satellite sites and user Remote > Peers. > Should this config work? > > -- Management Server -- > gui.wireguard.conf: > WIREGUARD_IP="172.29.200.254" > WIREGUARD_NM="255.255.255.0" > > wg0.peer: > [Peer] > # Peer 1 > PublicKey = ### > AllowedIPs = 172.29.200.1/32 > > [Peer] > # Peer 2 > PublicKey = ### > AllowedIPs = 172.29.200.2/32 ........> > > [Peer] > # Peer 200 > PublicKey = ### > AllowedIPs = 172.29.200.200/32 > > > -- Primary Server -- > gui.wireguard.conf: > WIREGUARD_IP="172.29.201.254" > WIREGUARD_NM="255.255.255.0" > > wg0.peer: > [Peer] > # Peer 1 > PublicKey = ### > AllowedIPs = 172.29.201.1/32 > > [Peer] > # Peer 2 > PublicKey = ### > AllowedIPs = 172.29.201.2/32 ........> > > [Peer] > # Peer 200 > PublicKey = ### > AllowedIPs = 172.29.201.200/32 > > > -- Secondary Server -- > gui.wireguard.conf: > WIREGUARD_IP="172.29.202.254" > WIREGUARD_NM="255.255.255.0" > > wg0.peer: > [Peer] > # Peer 1 > PublicKey = ### > AllowedIPs = 172.29.202.1/32 > > [Peer] > # Peer 2 > PublicKey = ### > AllowedIPs = 172.29.202.2/32. ........> > > [Peer] > # Peer 200 > PublicKey = ### > AllowedIPs = 172.29.202.200/32 > > > -- Client -- > gui.wireguard.conf: > # This range is used for peers to us that we are a server e.g. satellite > sites and users > WIREGUARD_IP="172.29.253.1" > WIREGUARD_NM="255.255.255.0" > > rc.elocal: > # Add Secondary IP Addresses to wg0 > ip addr add 172.29.200.1/24 dev wg0 > ip addr add 172.29.201.1/24 dev wg0 > ip addr add 172.29.202.1/24 dev wg0 > > wg0.peer: > [Peer] > # Management Server > PublicKey = ### > Endpoint = management01.ipcaccess.net > AllowedIPs = 172.29.200.254/32 > PersistentKeepalive = 25 > > [Peer] > # Primary Server > PublicKey = ### > Endpoint = primary01.ipcaccess.net > AllowedIPs = 172.29.201.254/32 > # No keepalive required as SIP Options ping will keep it up > > [Peer] > # Secondary Server > PublicKey = ### > Endpoint = secondary01.ipcaccess.net > AllowedIPs = 172.29.202.254/32 > # No keepalive required as SIP Options ping will keep it up > > [Peer] > # Another Astlinux box peering to us > PublicKey = ### > AllowedIPs = 172.29.253.2/32,<other accessible routes at the satellite site> > # No keepalive required as SIP Options ping will keep it up > -- > > Can anyone see problems with this configuration? > > Regards > Michael Knill > > From: David Kerr <da...@kerr.net> > Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> > Date: Tuesday, 1 January 2019 at 6:21 pm > To: AstLinux List <astlinux-users@lists.sourceforge.net> > Subject: Re: [Astlinux-users] Multiple wg interfaces > > Michael, > A single wg interface can have multiple IP addresses. They can be > different subnets too. You will have to manually edit the config files. > > David. > > On Tue, Jan 1, 2019 at 6:37 AM Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: >> Hi group >> >> Here is my scenario. I have primary and backup Wireguard VPN Peers that >> multiple Astlinux boxes will be connecting to. >> I assume that I will need different wgx interfaces for this as I cant have >> the same IP Address. >> If so, just wondering how to set this up in Astlinux? >> >> Regards >> Michael Knill >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. > -- > David Kerr Sent from Gmail Mobile > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
