Hi Matthias,
On Thu, May 10, 2018 at 11:21:44AM +0200, Matthias Urlichs wrote: > Hello list, > > Assume a branch office with two uplinks to the Internet that wants to > use WG to talk to the main office, using both of these uplinks in > parallel (assuming they're both up) for better uplink speed (and for > redundancy if they aren't). Now the obvious idea is to create two WG > interfaces on each side, and add a couple of firewall rules to make sure > that packets fwmarked 1 go out on the first uplink, and so on. > > That's the easy part. The hard part is how to teach the kernel to load > balance its default route between the WG interfaces. I tried to use a > libteam or bonding interface to tie them together, but apparently WG > isn't Ethernet, so that doesn't work. > > I thought about using a GRE tunnel, but tunnels have fixed endpoint > addresses – somehow I don't think it'd be a good idea to create two > wireguard interfaces with the same IP address … and I don't really want > to do heavy-handed address mangling on every packet. Losing all > connectivity whenever I happen to flush my firewall tables doesn't > appeal to me. Maybe you can use some kind of dynamic routing approach here. Use FRR, Quagga or Bird with e.g. OSPF and ECMP ( Equal Cost Multipath) to utilize both links. (practically you can also have two default routes with the same metric and this should do a round robin fashioned loadbalancing) Additional you get a failover functionality with the dynamic routing, as one path is lost, it moves to the other one. And you don't need to mark packets on the firewall level. > Ideally I would like the kernel's wireguard interfaces to be compatible > with teaming … any takers? Can't help with teaming here. HTH, tim -- Tim Weippert http://weiti.org - [email protected] GPG Fingerprint - E704 7303 6FF0 8393 ADB1 398E 67F2 94AE 5995 7DD8 _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
