Thanks Lonnie
Yes I'm replying to the original post and yes I do recall now talking about
that.
Hmm maybe I can just use a /24:
-- All 3 upstream servers --
gui.wireguard.conf:
WIREGUARD_IP="172.29.253.[252|253|254]"
WIREGUARD_NM="255.255.255.0"
wg0.peer:
[Peer]
# Peer 1
PublicKey = ###
AllowedIPs = 172.29.253.1/32
[Peer]
# Peer 2
PublicKey = ###
AllowedIPs = 172.29.253.2/32 ........>
[Peer]
# Peer 100 (Note 101-199 used for Client peer's Remote Peers)
PublicKey = ###
AllowedIPs = 172.29.253.100/32
-- Client --
gui.wireguard.conf:
WIREGUARD_IP="172.29.253.[1-100]"
WIREGUARD_NM="255.255.255.0"
wg0.peer:
[Peer]
# Management Server
PublicKey = ###
Endpoint = management01.ipcaccess.net
AllowedIPs = 172.29.253.254/32
PersistentKeepalive = 25
[Peer]
# Primary Server
PublicKey = ###
Endpoint = primary01.ipcaccess.net
AllowedIPs = 172.29.253.253/32
# No keepalive required as SIP Options ping will keep it up
[Peer]
# Secondary Server
PublicKey = ###
Endpoint = secondary01.ipcaccess.net
AllowedIPs = 172.29.253.252/32
# No keepalive required as SIP Options ping will keep it up
[Peer]
# Another Astlinux box peering to us
PublicKey = ###
AllowedIPs = 172.29.253.2/32,<other accessible routes at the satellite site>
# No keepalive required as SIP Options ping will keep it up
--
Hmm it certainly is unusual as there are overlapping routes everywhere but they
just don't know about each other. It will certainly also get messy if Astlinux
boxes peering to us are also peering to the 3 upstream servers.
So would Secondary addresses actually work if I did it purely for my sanity?
Regards
Michael Knill
On 8/6/19, 12:33 pm, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
Hi Michael,
I seem to recall discussing this before, but why the 3 separate /24
networks requiring a rc.elocal rather than one /22 network set by the WG
configs ?
# netcalc 172.29.200.1/22
Address : 172.29.200.1 10101100.00011101.110010 00.00000001
Netmask : 255.255.252.0 = 22 11111111.11111111.111111 00.00000000
Wildcard : 0.0.3.255 00000000.00000000.000000 11.11111111
=>
Network : 172.29.200.0/22 10101100.00011101.110010 00.00000000
HostMin : 172.29.200.1 10101100.00011101.110010 00.00000001
HostMax : 172.29.203.254 10101100.00011101.110010 11.11111110
Broadcast: 172.29.203.255 10101100.00011101.110010 11.11111111
Hosts/Net: 1022 Class B, Private network (RFC1918)
Other than that, with only a quick glance, it looks like you understand the
elegance of WireGuard.
Also I see you noted:
--
# No keepalive required as SIP Options ping will keep it up
--
which is probably just fine, though there is not much added overhead if
"PersistentKeepalive = 25" is also set possibly on the remote non-"SIP Options
ping" peer, just something to file away in your mind.
Lonnie
> On Jun 7, 2019, at 8:57 PM, Michael Knill
<michael.kn...@ipcsolutions.com.au> wrote:
>
> Hi Group
>
> I would like to bring this up again as I have begun development of a
transit switch for my customers (using Astlinux).
> The architecture will be both a primary and secondary server for the
transit switch with regular synchronisation from Primary to Secondary. Both
will have trunks to my upstream SIP provider with active/active redundancy.
> All customer Astlinux boxes will connect via Wireguard VPN as a client to
3 servers being Primary Transit, Secondary Transit and a Management server (I
would rather not manage through the Transit servers). The customer Astlinux box
could also be a VPN server for other satellite sites and user Remote Peers.
> Should this config work?
>
> -- Management Server --
> gui.wireguard.conf:
> WIREGUARD_IP="172.29.200.254"
> WIREGUARD_NM="255.255.255.0"
>
> wg0.peer:
> [Peer]
> # Peer 1
> PublicKey = ###
> AllowedIPs = 172.29.200.1/32
>
> [Peer]
> # Peer 2
> PublicKey = ###
> AllowedIPs = 172.29.200.2/32 ........>
>
> [Peer]
> # Peer 200
> PublicKey = ###
> AllowedIPs = 172.29.200.200/32
>
>
> -- Primary Server --
> gui.wireguard.conf:
> WIREGUARD_IP="172.29.201.254"
> WIREGUARD_NM="255.255.255.0"
>
> wg0.peer:
> [Peer]
> # Peer 1
> PublicKey = ###
> AllowedIPs = 172.29.201.1/32
>
> [Peer]
> # Peer 2
> PublicKey = ###
> AllowedIPs = 172.29.201.2/32 ........>
>
> [Peer]
> # Peer 200
> PublicKey = ###
> AllowedIPs = 172.29.201.200/32
>
>
> -- Secondary Server --
> gui.wireguard.conf:
> WIREGUARD_IP="172.29.202.254"
> WIREGUARD_NM="255.255.255.0"
>
> wg0.peer:
> [Peer]
> # Peer 1
> PublicKey = ###
> AllowedIPs = 172.29.202.1/32
>
> [Peer]
> # Peer 2
> PublicKey = ###
> AllowedIPs = 172.29.202.2/32. ........>
>
> [Peer]
> # Peer 200
> PublicKey = ###
> AllowedIPs = 172.29.202.200/32
>
>
> -- Client --
> gui.wireguard.conf:
> # This range is used for peers to us that we are a server e.g. satellite
sites and users
> WIREGUARD_IP="172.29.253.1"
> WIREGUARD_NM="255.255.255.0"
>
> rc.elocal:
> # Add Secondary IP Addresses to wg0
> ip addr add 172.29.200.1/24 dev wg0
> ip addr add 172.29.201.1/24 dev wg0
> ip addr add 172.29.202.1/24 dev wg0
>
> wg0.peer:
> [Peer]
> # Management Server
> PublicKey = ###
> Endpoint = management01.ipcaccess.net
> AllowedIPs = 172.29.200.254/32
> PersistentKeepalive = 25
>
> [Peer]
> # Primary Server
> PublicKey = ###
> Endpoint = primary01.ipcaccess.net
> AllowedIPs = 172.29.201.254/32
> # No keepalive required as SIP Options ping will keep it up
>
> [Peer]
> # Secondary Server
> PublicKey = ###
> Endpoint = secondary01.ipcaccess.net
> AllowedIPs = 172.29.202.254/32
> # No keepalive required as SIP Options ping will keep it up
>
> [Peer]
> # Another Astlinux box peering to us
> PublicKey = ###
> AllowedIPs = 172.29.253.2/32,<other accessible routes at the satellite
site>
> # No keepalive required as SIP Options ping will keep it up
> --
>
> Can anyone see problems with this configuration?
>
> Regards
> Michael Knill
>
> From: David Kerr <da...@kerr.net>
> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
> Date: Tuesday, 1 January 2019 at 6:21 pm
> To: AstLinux List <astlinux-users@lists.sourceforge.net>
> Subject: Re: [Astlinux-users] Multiple wg interfaces
>
> Michael,
> A single wg interface can have multiple IP addresses. They can be
different subnets too. You will have to manually edit the config files.
>
> David.
>
> On Tue, Jan 1, 2019 at 6:37 AM Michael Knill
<michael.kn...@ipcsolutions.com.au> wrote:
>> Hi group
>>
>> Here is my scenario. I have primary and backup Wireguard VPN Peers that
multiple Astlinux boxes will be connecting to.
>> I assume that I will need different wgx interfaces for this as I cant
have the same IP Address.
>> If so, just wondering how to set this up in Astlinux?
>>
>> Regards
>> Michael Knill
>> _______________________________________________
>> Astlinux-users mailing list
>> Astlinux-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
> --
> David Kerr Sent from Gmail Mobile
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
