Switch to another VPN client if no handshake/connection [Wireguard/VPN Director]

[arkywein]

Hi all,

This forum has been of great help and I really enjoy Asuswrt-Merlin firmware! I have a question about VPN setup.

I have two Wireguard clients configured and I use VPN Director to assign IP ranges to route traffic through them. Initially, I had only one client (WGC1) and VPN Director would assign every local device (192.168.0.0/25 and 10.6.0.0/24) to it.
As a precautionary step, I'd like to setup a second VPN client (WGC2), so in case there's no handshake or internet connection through the first one, it'll reroute all devices through WGC2 like so:

My question is if this functionality exists (checking for handshake mishaps, connectivity issues) and if so, does my setup make sense? The idea was to always use WGC1 and if it's failing, switch to WGC2 and reroute all devices through it.
Thank you!

Device: RT-AX58U
Firmware: 388.1

 

[Viktor Jaep]

Hi all,

This forum has been of great help and I really enjoy Asuswrt-Merlin firmware! I have a question about VPN setup.

I have two Wireguard clients configured and I use VPN Director to assign IP ranges to route traffic through them. Initially, I had only one client (WGC1) and VPN Director would assign every local device (192.168.0.0/25 and 10.6.0.0/24) to it.
As a precautionary step, I'd like to setup a second VPN client (WGC2), so in case there's no handshake or internet connection through the first one, it'll reroute all devices through WGC2 like so:

View attachment 46525

My question is if this functionality exists (checking for handshake mishaps, connectivity issues) and if so, does my setup make sense? The idea was to always use WGC1 and if it's failing, switch to WGC2 and reroute all devices through it.
Thank you!

Device: RT-AX58U
Firmware: 388.1

@glitterclub developed this wireguard failover script, so I'm not sure if this will suit your purposes? Keep an eye on the add-on software catalog page, as I have a feeling more wireguard scripts will be coming in time.

 

[junn0]

I use the exact setup as you @arkywein I am not sure if its ideal too but I tested it by turning of wgc1 and wgc2 automatically picked up the traffic.

 

[arkywein]

@glitterclub developed this wireguard failover script, so I'm not sure if this will suit your purposes? Keep an eye on the add-on software catalog page, as I have a feeling more wireguard scripts will be coming in time.

Thank you for this, I might give it a try in the future. But for now it would be great to find out if something similar is already built in.

 

[arkywein]

I use the exact setup as you @arkywein I am not sure if its ideal too but I tested it by turning of wgc1 and wgc2 automatically picked up the traffic.

One thing is to turn it off, but what would happen if the client is on, but there’s no handshake or the handshake is there, but the traffic doesn’t go through?
I believe if that functionality was there, there would be no need to develop a script that @Viktor Jaep mentioned above

 

[junn0]

I am not sure if this answers your previous note. But this is what RMerlin has said regarding wireguard in comparison to openvpn in this post. You can disregard this if it does not apply. Release - Asuswrt-Merlin 388.1 is now available for all supported Wifi 6 models | Page 2 | SmallNetBuilder Forums (snbforums.com)

WireGuard is not a real client/server setup, it's a peer-to-peer type of setup. WireGuard has no concept of a "disconnected client", the interface will stay up until you manually shut it down, regardless of whether the two are able to communicate or not. If the peers are no longer able to communicate, then the traffic will automatically fail to route without the need of a dedicated killswitch.

 

[Viktor Jaep]

Thank you for this, I might give it a try in the future. But for now it would be great to find out if something similar is already built in.

If anything, it would try to re-establish a connection if it does go down... but that's probably as far as it would go. In order to flip to other clients, you would need a script of some sort. This is one of the main reasons I built VPNMON-R2, just to be able to check on the health of the OVPN connection, and to randomly select other client slots on a regular basis. I'm hoping to dip my toe into WG at some point in the future, but we'll see. I've got a new AX6000 to configure first.

 

[chongnt]

WireGuard interface appears to be stateless. A script probably is a good option.
If say WGC1 peer suddenly goes down, the router will have no knowledge of it and will keep sending traffic through WGC1 interface.

Lets see what happen when we create rules in VPN Director. When create rules to WGC1 and WGC2 in VPN Director, two ip rules with different priority are created. When you shutdown WGC1, its associated ip rules are removed. The remaining rule to WGC2 now has the highest priority so traffic is send through WGC2 interface. This requires manual intervention.

What we can do is use a watchdog script. Say we determined that WGC1 peer is not good, we removed the associated ip rules so that traffic will no longer send through this interface. Once the watchdog script determine WGC1 peer is back to normal service, it will restore the ip rule and traffic will revert back though WGC1 interface. We do not need to turn off the interface.

One way in the script mentioned above is use latest handshake. Usually handshake timer will refresh around 2 minutes. But there are times handshake is good but the peer may be dropping packets. Another way use watchdog to do periodically ping to say 8.8.8.8 as an indicator to determine when to remove or restore the ip rule.

 

[chongnt]

If anything, it would try to re-establish a connection if it does go down... but that's probably as far as it would go. In order to flip to other clients, you would need a script of some sort. This is one of the main reasons I built VPNMON-R2, just to be able to check on the health of the OVPN connection, and to randomly select other client slots on a regular basis. I'm hoping to dip my toe into WG at some point in the future, but we'll see. I've got a new AX6000 to configure first.

Another MON script coming...