Hi Team,
I am facing a weird issue and not sure if wireguard works with VRRP? Here is my setup and process I followed.
R1 and R2 in VRRP cluster
R1 : eth0 10.10.11.20
eth1 : 10.10.12.20
R2 : eth0 10.10.11.30
eth1 10.10.12.30
VRRP eth0 10.10.11.15
eth1 10.10.12.15
R3 eth0 10.10.11.35
eth1 10.10.13.35
Here is R1 wireguard config; then I setup config-sync from R1 to R2 and it successfully synced
set interfaces wireguard wg10 address '169.254.1.1/30'
set interfaces wireguard wg10 ip adjust-mss '1360'
set interfaces wireguard wg10 peer to_branch allowed-ips '0.0.0.0/0'
set interfaces wireguard wg10 peer to_branch persistent-keepalive '2'
set interfaces wireguard wg10 peer to_branch public-key 'SIy6gxzmcmqZmm8VB+jM+KccSuffbqMFnaic902XCWM='
set interfaces wireguard wg10 port '16578'
set interfaces wireguard wg10 private-key '8LgpEaPgHqhhd7Va6WMzpGQTq7g2eu5h7KrNDJ1IoEo='
set protocols bfd peer 169.254.1.2 source address '169.254.1.1'
set protocols bgp address-family ipv4-unicast network 10.10.12.0/24
set protocols bgp neighbor 169.254.1.2 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 169.254.1.2 remote-as '65000'
set protocols bgp neighbor 169.254.1.2 update-source '169.254.1.1'
set protocols bgp system-as '65000'
And here is R3 config which is a peer
set interfaces wireguard wg10 address '169.254.1.2/30'
set interfaces wireguard wg10 ip adjust-mss '1360'
set interfaces wireguard wg10 peer to_ho address '10.10.11.15'
set interfaces wireguard wg10 peer to_ho allowed-ips '0.0.0.0/0'
set interfaces wireguard wg10 peer to_ho persistent-keepalive '2'
set interfaces wireguard wg10 peer to_ho port '16578'
set interfaces wireguard wg10 peer to_ho public-key 'ueJ48jr9tsezAxuFXAW0wundo4fqCqt+d6tC2LugFnI='
set interfaces wireguard wg10 private-key 'sDR651jFh46VnH/YUl5n6VFFBn3X/Pe0wEerFwqTCkU='
set protocols bfd peer 169.254.1.1 source address '169.254.1.2'
set protocols bgp address-family ipv4-unicast network 10.10.13.0/24
set protocols bgp neighbor 169.254.1.1 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 169.254.1.1 remote-as '65000'
set protocols bgp neighbor 169.254.1.1 update-source '169.254.1.2'
set protocols bgp system-as '65000'
Since R3 is speaking with VRRP IP which is 10.10.11.15 on port 16578; I thought if I shut the R1 VRRP would failover and wireguard should work with R2 however it does not. When I troubleshoot the config from R3 I found that R3 has created tunnel with 10.10.11.20:16578 instead of 10.10.11.15.
vyos@R3# sudo wg show
interface: wg10
public key: SIy6gxzmcmqZmm8VB+jM+KccSuffbqMFnaic902XCWM=
private key: (hidden)
listening port: 39390
peer: ueJ48jr9tsezAxuFXAW0wundo4fqCqt+d6tC2LugFnI=
endpoint: 10.10.11.20:16578
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 13 seconds ago
transfer: 32.12 KiB received, 35.48 KiB sent
persistent keepalive: every 2 seconds
[edit]
This is the reason failover did not happen. Just for testing purpose I ran command
set interfaces wireguard wg10 peer to_ho address 10.10.11.30
And it started working. So I am pretty sure wireguard does not work with VRRP IP and it takes physical IP in that case I am sure it would work with legacy cluster config since that fails the physical IP.
So is it @Viacheslav and other VYOs moderators is it really wise decision to deprecate cluster feature from 1.4 and 1.5?
Or any other alternative?