diff options
| author | Paul Buetow <paul@buetow.org> | 2026-01-17 00:09:50 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-01-17 00:09:50 +0200 |
| commit | bcb8cf5a5b1b4927bc8e3018c0244e19b5ff9451 (patch) | |
| tree | eab321d86ad1bb02095acd8e4aa95fafbc75f76b | |
| parent | 05e5dd253f1b0c45e78980ea648994dd79276a18 (diff) | |
Consolidate roaming client management sections in blog part 5
Moved "Manual gateway failover for roaming clients" section into
"Managing Roaming Client Tunnels" as a subsection. This provides
better flow:
1. First explains basic roaming client setup and management
2. Then explains start/stop operations
3. Finally discusses the failover limitation and manual solution
The manual failover discussion now comes after readers understand
the basic roaming client operations, making it easier to follow.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
| -rw-r--r-- | gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.gmi.tpl | 102 |
1 files changed, 51 insertions, 51 deletions
diff --git a/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.gmi.tpl b/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.gmi.tpl index 87d9ba80..f322aaa8 100644 --- a/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.gmi.tpl +++ b/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.gmi.tpl @@ -1069,57 +1069,6 @@ Adding IPv6 to the mesh network provides: * **Learning**: Hands-on experience with IPv6 networking * **Flexibility**: Roaming clients can access both IPv4 and IPv6 internet resources -## Manual gateway failover for roaming clients - -WireGuard doesn't automatically failover between multiple peers with identical `AllowedIPs` routes. When both gateways (blowfish and fishfinger) are configured with `AllowedIPs = 0.0.0.0/0, ::/0`, WireGuard uses the first peer with a recent handshake. If that gateway goes down, traffic won't automatically switch to the backup. - -To enable manual failover, separate configuration files have been created for roaming clients (earth laptop and pixel7pro phone), each containing only a single gateway peer. - -### Configuration files for pixel7pro (phone) - -Two separate configs in `/home/paul/git/wireguardmeshgenerator/dist/pixel7pro/etc/wireguard/`: - -* **wg0-blowfish.conf** - Routes all traffic through blowfish gateway (23.88.35.144) -* **wg0-fishfinger.conf** - Routes all traffic through fishfinger gateway (46.23.94.99) - -### Configuration files for earth (laptop) - -Two separate configs in `/home/paul/git/wireguardmeshgenerator/dist/earth/etc/wireguard/`: - -* **wg0-blowfish.conf** - Routes all traffic through blowfish gateway -* **wg0-fishfinger.conf** - Routes all traffic through fishfinger gateway - -### Using manual failover on Android - -On the pixel7pro phone, import both QR codes using the WireGuard app to create two separate tunnel profiles: - -```sh -# Generate QR codes -qrencode -t ansiutf8 < dist/pixel7pro/etc/wireguard/wg0-blowfish.conf -qrencode -t ansiutf8 < dist/pixel7pro/etc/wireguard/wg0-fishfinger.conf -``` - -In the WireGuard app, you can then manually enable/disable each tunnel to select which gateway to use. Only enable one tunnel at a time. - -### Using manual failover on Linux - -On the earth laptop, copy both configs and use systemd to switch between them: - -```sh -# Install both configurations -sudo cp dist/earth/etc/wireguard/wg0-blowfish.conf /etc/wireguard/ -sudo cp dist/earth/etc/wireguard/wg0-fishfinger.conf /etc/wireguard/ - -# Start with blowfish gateway -sudo systemctl start wg-quick@wg0-blowfish.service - -# To switch to fishfinger gateway -sudo systemctl stop wg-quick@wg0-blowfish.service -sudo systemctl start wg-quick@wg0-fishfinger.service -``` - -This approach provides explicit control over which gateway handles roaming client traffic, useful when one gateway needs maintenance or experiences connectivity issues. - ## Happy WireGuard-ing All is set up now. E.g. on `f0`: @@ -1397,6 +1346,57 @@ earth$ curl https://ifconfig.me # Should show gateway's public IP Check which gateway is active: The device will typically prefer one gateway (usually the first one with a successful handshake). To see which gateway is actively routing traffic, check the transfer statistics with `sudo wg show` on earth, or observe which gateway shows recent handshakes and increasing transfer bytes. +### Manual gateway failover + +The default configuration for roaming clients includes both gateways (blowfish and fishfinger) with `AllowedIPs = 0.0.0.0/0, ::/0`. However, WireGuard doesn't automatically failover between multiple peers with identical `AllowedIPs` routes. When both gateways are configured this way, WireGuard uses the first peer with a recent handshake. If that gateway goes down, traffic won't automatically switch to the backup gateway. + +To enable manual failover, separate configuration files can be created for roaming clients (earth laptop and pixel7pro phone), each containing only a single gateway peer. This provides explicit control over which gateway handles traffic. + +#### Configuration files for pixel7pro (phone) + +Two separate configs in `/home/paul/git/wireguardmeshgenerator/dist/pixel7pro/etc/wireguard/`: + +* **wg0-blowfish.conf** - Routes all traffic through blowfish gateway (23.88.35.144) +* **wg0-fishfinger.conf** - Routes all traffic through fishfinger gateway (46.23.94.99) + +#### Configuration files for earth (laptop) + +Two separate configs in `/home/paul/git/wireguardmeshgenerator/dist/earth/etc/wireguard/`: + +* **wg0-blowfish.conf** - Routes all traffic through blowfish gateway +* **wg0-fishfinger.conf** - Routes all traffic through fishfinger gateway + +#### Using manual failover on Android + +On the pixel7pro phone, import both QR codes using the WireGuard app to create two separate tunnel profiles: + +```sh +# Generate QR codes +qrencode -t ansiutf8 < dist/pixel7pro/etc/wireguard/wg0-blowfish.conf +qrencode -t ansiutf8 < dist/pixel7pro/etc/wireguard/wg0-fishfinger.conf +``` + +In the WireGuard app, you can then manually enable/disable each tunnel to select which gateway to use. Only enable one tunnel at a time. + +#### Using manual failover on Linux + +On the earth laptop, copy both configs and use systemd to switch between them: + +```sh +# Install both configurations +sudo cp dist/earth/etc/wireguard/wg0-blowfish.conf /etc/wireguard/ +sudo cp dist/earth/etc/wireguard/wg0-fishfinger.conf /etc/wireguard/ + +# Start with blowfish gateway +sudo systemctl start wg-quick@wg0-blowfish.service + +# To switch to fishfinger gateway +sudo systemctl stop wg-quick@wg0-blowfish.service +sudo systemctl start wg-quick@wg0-fishfinger.service +``` + +This approach provides explicit control over which gateway handles roaming client traffic, useful when one gateway needs maintenance or experiences connectivity issues. + ## Conclusion Having a mesh network on our hosts is great for securing all the traffic between them for our future k3s setup. A self-managed WireGuard mesh network is better than Tailscale as it eliminates reliance on a third party and provides full control over the configuration. It reduces unnecessary abstraction and "magic," enabling easier debugging and ensuring full ownership of our network. |