diff options
| author | Paul Buetow <paul@buetow.org> | 2026-01-16 08:30:26 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-01-16 08:30:26 +0200 |
| commit | 2c98fc4b5c670ac565fa183be684485a08714b9f (patch) | |
| tree | 25c43ba4b5ec22deae4f7d3b33fe6a3502d69c04 | |
| parent | 327757c3303aa8b5be825f0aef993dca8ea072ff (diff) | |
Document manual gateway failover for WireGuard roaming clients
Added section explaining how to use separate gateway configurations
for pixel7pro and earth roaming clients to enable manual failover
between blowfish and fishfinger gateways.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
| -rw-r--r-- | gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.gmi.tpl | 59 |
1 files changed, 57 insertions, 2 deletions
diff --git a/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.gmi.tpl b/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.gmi.tpl index db89ec37..5dd910bb 100644 --- a/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.gmi.tpl +++ b/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.gmi.tpl @@ -916,15 +916,17 @@ Since OpenBSD doesn't use the `Address` directive in WireGuard configs, IPv6 mus rex@blowfish:~ $ doas vi /etc/hostname.wg0 ``` -Add the IPv6 address: +Add the IPv6 address (note the order - IPv6 must be configured before `up`): ``` inet 192.168.2.110 255.255.255.0 NONE inet6 fd42:beef:cafe:2::110 64 -!/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf up +!/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf ``` +**Important**: The IPv6 address must be specified before the `up` directive. This ensures the interface has both addresses configured before WireGuard peers are loaded. + Apply the configuration: ```sh @@ -935,6 +937,8 @@ inet6 fd42:beef:cafe:2::110 prefixlen 64 Repeat for `fishfinger` with address `fd42:beef:cafe:2::111`. +After reboot, the interface will automatically come up with both IPv4 and IPv6 addresses. WireGuard peers may take 30-60 seconds to establish handshakes after boot. + ### Verifying dual-stack connectivity After regenerating and deploying the configurations, both IPv4 and IPv6 work across the mesh: @@ -961,6 +965,57 @@ Adding IPv6 to the mesh network provides: * **Learning**: Hands-on experience with IPv6 networking * **Flexibility**: Roaming clients can access both IPv4 and IPv6 internet resources +## Manual gateway failover for roaming clients + +WireGuard doesn't automatically failover between multiple peers with identical `AllowedIPs` routes. When both gateways (blowfish and fishfinger) are configured with `AllowedIPs = 0.0.0.0/0, ::/0`, WireGuard uses the first peer with a recent handshake. If that gateway goes down, traffic won't automatically switch to the backup. + +To enable manual failover, separate configuration files have been created for roaming clients (earth laptop and pixel7pro phone), each containing only a single gateway peer. + +### Configuration files for pixel7pro (phone) + +Two separate configs in `/home/paul/git/wireguardmeshgenerator/dist/pixel7pro/etc/wireguard/`: + +* **wg0-blowfish.conf** - Routes all traffic through blowfish gateway (23.88.35.144) +* **wg0-fishfinger.conf** - Routes all traffic through fishfinger gateway (46.23.94.99) + +### Configuration files for earth (laptop) + +Two separate configs in `/home/paul/git/wireguardmeshgenerator/dist/earth/etc/wireguard/`: + +* **wg0-blowfish.conf** - Routes all traffic through blowfish gateway +* **wg0-fishfinger.conf** - Routes all traffic through fishfinger gateway + +### Using manual failover on Android + +On the pixel7pro phone, import both QR codes using the WireGuard app to create two separate tunnel profiles: + +```sh +# Generate QR codes +qrencode -t ansiutf8 < dist/pixel7pro/etc/wireguard/wg0-blowfish.conf +qrencode -t ansiutf8 < dist/pixel7pro/etc/wireguard/wg0-fishfinger.conf +``` + +In the WireGuard app, you can then manually enable/disable each tunnel to select which gateway to use. Only enable one tunnel at a time. + +### Using manual failover on Linux + +On the earth laptop, copy both configs and use systemd to switch between them: + +```sh +# Install both configurations +sudo cp dist/earth/etc/wireguard/wg0-blowfish.conf /etc/wireguard/ +sudo cp dist/earth/etc/wireguard/wg0-fishfinger.conf /etc/wireguard/ + +# Start with blowfish gateway +sudo systemctl start wg-quick@wg0-blowfish.service + +# To switch to fishfinger gateway +sudo systemctl stop wg-quick@wg0-blowfish.service +sudo systemctl start wg-quick@wg0-fishfinger.service +``` + +This approach provides explicit control over which gateway handles roaming client traffic, useful when one gateway needs maintenance or experiences connectivity issues. + ## Happy WireGuard-ing All is set up now. E.g. on `f0`: |