VPN load balancing

I use wireguard vpn for site-to-site configuration. So I can not get 10Gbit/s line rate vpn because of linux network stack. I get one core of 100% irq because traffic goes from one mac, ip and port, because of site to site architecture. Can I create second wg interface and lb route traffic for whole subnet via two or more wg interfaces or may be ipsec. Or may be somehow via vrf routing?

Hello @Iwan, I think you can. ECMP should work in this case.

Hi,

I am facing a similar scenario for a project at work and this post seem be relevant but I am not sure how to implement ecmp in vyos. Our project involves creating a tunnel to Azure. At the moment we have a single route based ipsec vyos tunnel but due to some known limitations, we can not get more than 1Gbps of traffic through.

One solution that was suggested was to use wireguard and ecmp to basically increase throughput using multiple wireguard interfaces to same destination.

For the ecmp portion though, I wasn’t sure how this part worked in vyos. If we created 2 wireguard interfaces, would I then just need to create 2 static routes going to same destination via both wireguard interfaces for ecmp routing to work automatically in vyos? On modern Linux, normally I believe we would just create routes to same destination with equal cost to trigger ecmp routing. Since I couldn’t find in vyos’ KBs an example of what I was trying to do, I figured I would look in this forum and ask here.

Any hints would be greatly appreciated.

Thanks in advance

Hi @Kar,

You can try ECMP with WireGuard interfaces.
However, beware of using static routes with WireGuard. Better use dynamic routing, such as OSPF.
See this article for an explanation:
OSPF Over WireGuard

@Nikolay

Thx for the reply.

correct BGP ECMP works perfectly fine