I have a lots of multihomed routers setup for vpn site to site and running bgp over the vpn mesh.
First, make sure these are all 0 as are multihomed. cat $( find /proc/sys/net/ipv4 -name rp_filter ) The other thing I do is I run a different wireguard interface and peer on a different port and interface. With bgp on top, one multihomed router to another multihomed router just ends up being multiple links it can route over and let linux/bgp decide which ones to use and automatically fail over if one path goes down. That said, I don't have any NAT and both ends have fixed IPs, although they are multihomed. Can you create a separate wireguard interface for each physical interface (I suggest a different port too). Separate wireguard interfaces should keep WG from having issues, and of course disabling rp_filter to keep linux from having issues. On Fri, Jul 21, 2023 at 4:05 AM Nico Schottelius <nico.schottel...@ungleich.ch> wrote: > > > Good morning, > > Daniel Gröber <d...@darkboxed.org> writes: > > [...] > > I have a multihomed router [...] > > following up the thread from February, we migrated away from wireguard > to openvpn on systems that have are multi homed. > > The main reason for that is the following type of connection to a high > probability fails to work: > > 1) device -> [NAT/FIREWALL] -> multi homed server [IP A] > 2) multi homed server [IP B] -- blocked by firewall as it does not match > table entry > > This always happens when the server has as an asymmetric route back to > the originating device, which really depends on the routing tables > or routing policy present on the multi homed server. > > I'm a big fan of simplicity, but without an equivalent of openvpn's > "local" statement, wireguard is deemed to be unusable in many network > scenarios. > > Best regards, > > Nico > > > -- > Sustainable and modern Infrastructures by ungleich.ch
