From 5694ea270365f744ce04af690012197231f8d40c Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sat, 17 Jan 2026 00:17:05 +0200 Subject: Update content for html --- ...5-05-11-f3s-kubernetes-with-freebsd-part-5.html | 241 ++++++++++++-------- gemfeed/atom.xml | 243 +++++++++++++-------- 2 files changed, 303 insertions(+), 181 deletions(-) (limited to 'gemfeed') diff --git a/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.html b/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.html index 80a0173f..7a8207f3 100644 --- a/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.html +++ b/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.html @@ -68,13 +68,9 @@
  • ⇢ ⇢ Manual OpenBSD interface configuration
  • ⇢ ⇢ Verifying dual-stack connectivity
  • ⇢ ⇢ Benefits of dual-stack
    • -
  • Manual gateway failover for roaming clients
    • -
  • ⇢ ⇢ Configuration files for pixel7pro (phone)
    • -
  • ⇢ ⇢ Configuration files for earth (laptop)
    • -
  • ⇢ ⇢ Using manual failover on Android
    • -
  • ⇢ ⇢ Using manual failover on Linux
  • Happy WireGuard-ing
  • Managing Roaming Client Tunnels
    • +
  • ⇢ ⇢ Manual gateway failover configuration
  • ⇢ ⇢ Starting and stopping on earth (Fedora laptop)
  • ⇢ ⇢ Starting and stopping on pixel7pro (Android phone)
  • ⇢ ⇢ Verifying connectivity
    • @@ -575,9 +571,40 @@ hosts: exclude_peers: - earth - pixel7pro - # f1 and f2 similarly configured with exclude_peers for roaming clients - # (full config omitted for brevity) - ... + f1: + os: FreeBSD + ssh: + user: paul + conf_dir: /usr/local/etc/wireguard + sudo_cmd: doas + reload_cmd: service wireguard reload + lan: + domain: 'lan.buetow.org' + ip: '192.168.1.131' + wg0: + domain: 'wg0.wan.buetow.org' + ip: '192.168.2.131' + ipv6: 'fd42:beef:cafe:2::131' + exclude_peers: + - earth + - pixel7pro + f2: + os: FreeBSD + ssh: + user: paul + conf_dir: /usr/local/etc/wireguard + sudo_cmd: doas + reload_cmd: service wireguard reload + lan: + domain: 'lan.buetow.org' + ip: '192.168.1.132' + wg0: + domain: 'wg0.wan.buetow.org' + ip: '192.168.2.132' + ipv6: 'fd42:beef:cafe:2::132' + exclude_peers: + - earth + - pixel7pro r0: os: Linux ssh: @@ -595,8 +622,40 @@ hosts: exclude_peers: - earth - pixel7pro - # r1 and r2 similarly configured - ... + r1: + os: Linux + ssh: + user: root + conf_dir: /etc/wireguard + sudo_cmd: + reload_cmd: systemctl reload wg-quick@wg0.service + lan: + domain: 'lan.buetow.org' + ip: '192.168.1.121' + wg0: + domain: 'wg0.wan.buetow.org' + ip: '192.168.2.121' + ipv6: 'fd42:beef:cafe:2::121' + exclude_peers: + - earth + - pixel7pro + r2: + os: Linux + ssh: + user: root + conf_dir: /etc/wireguard + sudo_cmd: + reload_cmd: systemctl reload wg-quick@wg0.service + lan: + domain: 'lan.buetow.org' + ip: '192.168.1.122' + wg0: + domain: 'wg0.wan.buetow.org' + ip: '192.168.2.122' + ipv6: 'fd42:beef:cafe:2::122' + exclude_peers: + - earth + - pixel7pro blowfish: os: OpenBSD ssh: @@ -1105,7 +1164,7 @@ up !/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf
    -**Important**: The IPv6 address must be specified before the up directive. This ensures the interface has both addresses configured before WireGuard peers are loaded.
    +Important: The IPv6 address must be specified before the up directive. This ensures the interface has both addresses configured before WireGuard peers are loaded.

    Apply the configuration:

    @@ -1147,70 +1206,11 @@ root@r0:~ # ping6 -c 2 fd42:beef:cafe:2::130 # IPv6 to Adding IPv6 to the mesh network provides:

      -
    • **Future-proofing**: Ready for IPv6-only services and networks
      • -
    • **Compatibility**: Dual-stack maintains full IPv4 compatibility
      • -
    • **Learning**: Hands-on experience with IPv6 networking
      • -
    • **Flexibility**: Roaming clients can access both IPv4 and IPv6 internet resources
      • -

    -

    Manual gateway failover for roaming clients


    -
    -WireGuard doesn't automatically failover between multiple peers with identical AllowedIPs routes. When both gateways (blowfish and fishfinger) are configured with AllowedIPs = 0.0.0.0/0, ::/0, WireGuard uses the first peer with a recent handshake. If that gateway goes down, traffic won't automatically switch to the backup.
    -
    -To enable manual failover, separate configuration files have been created for roaming clients (earth laptop and pixel7pro phone), each containing only a single gateway peer.
    -
    -

    Configuration files for pixel7pro (phone)


    -
    -Two separate configs in /home/paul/git/wireguardmeshgenerator/dist/pixel7pro/etc/wireguard/:
    -
    -
      -
    • **wg0-blowfish.conf** - Routes all traffic through blowfish gateway (23.88.35.144)
      • -
    • **wg0-fishfinger.conf** - Routes all traffic through fishfinger gateway (46.23.94.99)
      • +
    • Future-proofing: Ready for IPv6-only services and networks
      • +
    • Compatibility: Dual-stack maintains full IPv4 compatibility
      • +
    • Learning: Hands-on experience with IPv6 networking
      • +
    • Flexibility: Roaming clients can access both IPv4 and IPv6 internet resources

    -

    Configuration files for earth (laptop)


    -
    -Two separate configs in /home/paul/git/wireguardmeshgenerator/dist/earth/etc/wireguard/:
    -
    -
      -
    • **wg0-blowfish.conf** - Routes all traffic through blowfish gateway
      • -
    • **wg0-fishfinger.conf** - Routes all traffic through fishfinger gateway
      • -

    -

    Using manual failover on Android


    -
    -On the pixel7pro phone, import both QR codes using the WireGuard app to create two separate tunnel profiles:
    -
    - -
    # Generate QR codes
-qrencode -t ansiutf8 < dist/pixel7pro/etc/wireguard/wg0-blowfish.conf
-qrencode -t ansiutf8 < dist/pixel7pro/etc/wireguard/wg0-fishfinger.conf
-
    -
    -In the WireGuard app, you can then manually enable/disable each tunnel to select which gateway to use. Only enable one tunnel at a time.
    -
    -

    Using manual failover on Linux


    -
    -On the earth laptop, copy both configs and use systemd to switch between them:
    -
    - -
    # Install both configurations
-sudo cp dist/earth/etc/wireguard/wg0-blowfish.conf /etc/wireguard/
-sudo cp dist/earth/etc/wireguard/wg0-fishfinger.conf /etc/wireguard/
-
-# Start with blowfish gateway
-sudo systemctl start wg-quick@wg0-blowfish.service
-
-# To switch to fishfinger gateway
-sudo systemctl stop wg-quick@wg0-blowfish.service
-sudo systemctl start wg-quick@wg0-fishfinger.service
-
    -
    -This approach provides explicit control over which gateway handles roaming client traffic, useful when one gateway needs maintenance or experiences connectivity issues.
    -

    Happy WireGuard-ing



    All is set up now. E.g. on f0:
    @@ -1400,17 +1400,69 @@ peer: 2htXdNcxzpI2FdPDJy4T4VGtm1wpMEQu1AkQHjNY6F8=

    Managing Roaming Client Tunnels



    -Since roaming clients like earth and pixel7pro connect on-demand rather than being always-on like the infrastructure hosts, it's useful to know how to start and stop the WireGuard tunnels.
    +Since roaming clients like earth and pixel7pro connect on-demand rather than being always-on like the infrastructure hosts, it's useful to know how to configure and manage the WireGuard tunnels.
    +
    +

    Manual gateway failover configuration


    +
    +The default configuration for roaming clients includes both gateways (blowfish and fishfinger) with AllowedIPs = 0.0.0.0/0, ::/0. However, WireGuard doesn't automatically failover between multiple peers with identical AllowedIPs routes. When both gateways are configured this way, WireGuard uses the first peer with a recent handshake. If that gateway goes down, traffic won't automatically switch to the backup gateway.
    +
    +To enable manual failover, separate configuration files can be created for roaming clients (earth laptop and pixel7pro phone), each containing only a single gateway peer. This provides explicit control over which gateway handles traffic.
    +
    +Configuration files for pixel7pro (phone):
    +
    +Two separate configs in /home/paul/git/wireguardmeshgenerator/dist/pixel7pro/etc/wireguard/:
    +
    +
      +
    • wg0-blowfish.conf - Routes all traffic through blowfish gateway (23.88.35.144)
      • +
    • wg0-fishfinger.conf - Routes all traffic through fishfinger gateway (46.23.94.99)
      • +

    +Generate QR codes for importing into the WireGuard Android app:
    +
    + +
    qrencode -t ansiutf8 < dist/pixel7pro/etc/wireguard/wg0-blowfish.conf
+qrencode -t ansiutf8 < dist/pixel7pro/etc/wireguard/wg0-fishfinger.conf
+
    +
    +Import both QR codes using the WireGuard app to create two separate tunnel profiles. You can then manually enable/disable each tunnel to select which gateway to use. Only enable one tunnel at a time.
    +
    +Configuration files for earth (laptop):
    +
    +Two separate configs in /home/paul/git/wireguardmeshgenerator/dist/earth/etc/wireguard/:
    +
    +
      +
    • wg0-blowfish.conf - Routes all traffic through blowfish gateway
      • +
    • wg0-fishfinger.conf - Routes all traffic through fishfinger gateway
      • +

    +Install both configurations:
    +
    + +
    sudo cp dist/earth/etc/wireguard/wg0-blowfish.conf /etc/wireguard/
+sudo cp dist/earth/etc/wireguard/wg0-fishfinger.conf /etc/wireguard/
+
    +
    +This approach provides explicit control over which gateway handles roaming client traffic, useful when one gateway needs maintenance or experiences connectivity issues.

    Starting and stopping on earth (Fedora laptop)



    -On the Fedora laptop, WireGuard is managed via systemd. Starting the tunnel:
    +On the Fedora laptop, WireGuard is managed via systemd. Using the separate gateway configs:

    -
    earth$ sudo systemctl start wg-quick@wg0.service
+
    # Start with blowfish gateway
+earth$ sudo systemctl start wg-quick@wg0-blowfish.service
+
+# Or start with fishfinger gateway
+earth$ sudo systemctl start wg-quick@wg0-fishfinger.service
+
+# Check tunnel status
 earth$ sudo wg show
 interface: wg0
   public key: Mc1CpSS3rbLN9A2w9c75XugQyXUkGPHKI2iCGbh8DRo=
@@ -1435,43 +1487,45 @@ peer: Xow+d3qVXgUMk4pcRSQ6Fe+vhYBa3VDyHX/4jrGoKns=
   persistent keepalive: every 25 seconds
 
    
 
    
-Stoppint the tunnel:
    
+Stopping the tunnel:
    
 
    
 
-
    earth$ sudo systemctl stop wg-quick@wg0.service
+
    earth$ sudo systemctl stop wg-quick@wg0-blowfish.service
+# Or if using fishfinger:
+earth$ sudo systemctl stop wg-quick@wg0-fishfinger.service
+
 earth$ sudo wg show
 # No output - WireGuard interface is down
 
    
 
    
-Checking the tunnel status:
    
+Switching between gateways:
    
 
    
 
-
    earth$ sudo systemctl status wg-quick@wg0.service
-● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
-     Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; disabled)
-     Active: active (exited) since Sun 2026-01-11 22:45:00 EET
+
    # Switch from blowfish to fishfinger
+earth$ sudo systemctl stop wg-quick@wg0-blowfish.service
+earth$ sudo systemctl start wg-quick@wg0-fishfinger.service
 
    
 
    
-The service remains disabled to prevent auto-start on boot, allowing manual control of when the VPN is active.
    
+The services remain disabled to prevent auto-start on boot, allowing manual control of when the VPN is active and which gateway to use.
    
 
    
 
    Starting and stopping on pixel7pro (Android phone)

    
 
    
-On Android using the official WireGuard app, tunnel management is like this:
    
+On Android using the official WireGuard app, you now have two tunnel profiles (wg0-blowfish and wg0-fishfinger) after importing the QR codes:
    
 
    
-Starting the tunnel:
    
+Starting a tunnel:
    
 
    
 
      
 
    • 1. Open the WireGuard app
      • 
-
    • 2. Tap the toggle switch next to the pixel7pro tunnel configuration
      • 
+
    • 2. Tap the toggle switch next to either wg0-blowfish or wg0-fishfinger tunnel configuration
      • 
 
    • 3. The switch turns blue/green and shows "Active"
      • 
 
    • 4. A key icon appears in the notification bar indicating VPN is active
      • 
-
    • 5. All traffic now routes through the VPN
      • 
+
    • 5. All traffic now routes through the selected gateway
      • 
 

    
 Stopping the tunnel:
    
 
    
@@ -1482,6 +1536,13 @@ http://www.gnu.org/software/src-highlite -->
 
  • 4. The notification bar key icon disappears
    • 
 
  • 5. Normal internet routing resumes
    • 
 
    
+Switching between gateways:
    
+
    
+
      
+
    • 1. Disable the currently active tunnel (e.g., wg0-blowfish)
      • 
+
    • 2. Enable the other tunnel (e.g., wg0-fishfinger)
      • 
+
    • Only enable one tunnel at a time
      • 
+

    
 Quick toggling from notification:
    
 
    
 
      
@@ -1511,7 +1572,7 @@ earth$ ping -c2 fishfinger.wg0
 earth$ curl https://ifconfig.me  # Should show gateway's public IP
 
    
 
    
-Check which gateway is active: The device will typically prefer one gateway (usually the first one with a successful handshake). To see which gateway is actively routing traffic, check the transfer statistics with sudo wg show on earth, or observe which gateway shows recent handshakes and increasing transfer bytes.
    
+Check which gateway is active: Check the transfer statistics with sudo wg show on earth to see which peer shows recent handshakes and increasing transfer bytes. On Android, the WireGuard app shows the active tunnel with data transfer statistics.
    
 
    
 
    Conclusion

    
 
    
diff --git a/gemfeed/atom.xml b/gemfeed/atom.xml
index 92baa74d..8f6aa951 100644
--- a/gemfeed/atom.xml
+++ b/gemfeed/atom.xml
@@ -1,6 +1,6 @@
 
 
-    2026-01-17T00:03:44+02:00
+    2026-01-17T00:15:15+02:00
     foo.zone feed
     To be in the .zone!
     
@@ -9632,13 +9632,9 @@ Jul 06 10:⇢ ⇢ Manual OpenBSD interface configuration
 
  • ⇢ ⇢ Verifying dual-stack connectivity
    • 
 
  • ⇢ ⇢ Benefits of dual-stack
    • 
-
  • Manual gateway failover for roaming clients
    • 
-
  • ⇢ ⇢ Configuration files for pixel7pro (phone)
    • 
-
  • ⇢ ⇢ Configuration files for earth (laptop)
    • 
-
  • ⇢ ⇢ Using manual failover on Android
    • 
-
  • ⇢ ⇢ Using manual failover on Linux
    • 
 
  • Happy WireGuard-ing
    • 
 
  • Managing Roaming Client Tunnels
    • 
+
  • ⇢ ⇢ Manual gateway failover configuration
    • 
 
  • ⇢ ⇢ Starting and stopping on earth (Fedora laptop)
    • 
 
  • ⇢ ⇢ Starting and stopping on pixel7pro (Android phone)
    • 
 
  • ⇢ ⇢ Verifying connectivity
    • 
@@ -10139,9 +10135,40 @@ hosts:
     exclude_peers:
       - earth
       - pixel7pro
-  # f1 and f2 similarly configured with exclude_peers for roaming clients
-  # (full config omitted for brevity)
-  ...
+  f1:
+    os: FreeBSD
+    ssh:
+      user: paul
+      conf_dir: /usr/local/etc/wireguard
+      sudo_cmd: doas
+      reload_cmd: service wireguard reload
+    lan:
+      domain: 'lan.buetow.org'
+      ip: '192.168.1.131'
+    wg0:
+      domain: 'wg0.wan.buetow.org'
+      ip: '192.168.2.131'
+      ipv6: 'fd42:beef:cafe:2::131'
+    exclude_peers:
+      - earth
+      - pixel7pro
+  f2:
+    os: FreeBSD
+    ssh:
+      user: paul
+      conf_dir: /usr/local/etc/wireguard
+      sudo_cmd: doas
+      reload_cmd: service wireguard reload
+    lan:
+      domain: 'lan.buetow.org'
+      ip: '192.168.1.132'
+    wg0:
+      domain: 'wg0.wan.buetow.org'
+      ip: '192.168.2.132'
+      ipv6: 'fd42:beef:cafe:2::132'
+    exclude_peers:
+      - earth
+      - pixel7pro
   r0:
     os: Linux
     ssh:
@@ -10159,8 +10186,40 @@ hosts:
     exclude_peers:
       - earth
       - pixel7pro
-  # r1 and r2 similarly configured
-  ...
+  r1:
+    os: Linux
+    ssh:
+      user: root
+      conf_dir: /etc/wireguard
+      sudo_cmd:
+      reload_cmd: systemctl reload wg-quick@wg0.service
+    lan:
+      domain: 'lan.buetow.org'
+      ip: '192.168.1.121'
+    wg0:
+      domain: 'wg0.wan.buetow.org'
+      ip: '192.168.2.121'
+      ipv6: 'fd42:beef:cafe:2::121'
+    exclude_peers:
+      - earth
+      - pixel7pro
+  r2:
+    os: Linux
+    ssh:
+      user: root
+      conf_dir: /etc/wireguard
+      sudo_cmd:
+      reload_cmd: systemctl reload wg-quick@wg0.service
+    lan:
+      domain: 'lan.buetow.org'
+      ip: '192.168.1.122'
+    wg0:
+      domain: 'wg0.wan.buetow.org'
+      ip: '192.168.2.122'
+      ipv6: 'fd42:beef:cafe:2::122'
+    exclude_peers:
+      - earth
+      - pixel7pro
   blowfish:
     os: OpenBSD
     ssh:
@@ -10669,7 +10728,7 @@ up
 !/usr/local/bin/wg setconf wg0 /etc/wireguard/wg0.conf
 
    
 
    
-**Important**: The IPv6 address must be specified before the up directive. This ensures the interface has both addresses configured before WireGuard peers are loaded.
    
+Important: The IPv6 address must be specified before the up directive. This ensures the interface has both addresses configured before WireGuard peers are loaded.
    
 
    
 Apply the configuration:
    
 
    
@@ -10711,70 +10770,11 @@ root@r0:~ # ping6 -c 2 fd42:beef:cafe:2::130  # IPv6 to
 Adding IPv6 to the mesh network provides:
    
 
    
 
      
-
    • **Future-proofing**: Ready for IPv6-only services and networks
      • 
-
    • **Compatibility**: Dual-stack maintains full IPv4 compatibility
      • 
-
    • **Learning**: Hands-on experience with IPv6 networking
      • 
-
    • **Flexibility**: Roaming clients can access both IPv4 and IPv6 internet resources
      • 
-

    
-
    Manual gateway failover for roaming clients

    
-
    
-WireGuard doesn't automatically failover between multiple peers with identical AllowedIPs routes. When both gateways (blowfish and fishfinger) are configured with AllowedIPs = 0.0.0.0/0, ::/0, WireGuard uses the first peer with a recent handshake. If that gateway goes down, traffic won't automatically switch to the backup.
    
-
    
-To enable manual failover, separate configuration files have been created for roaming clients (earth laptop and pixel7pro phone), each containing only a single gateway peer.
    
-
    
-
    Configuration files for pixel7pro (phone)

    
-
    
-Two separate configs in /home/paul/git/wireguardmeshgenerator/dist/pixel7pro/etc/wireguard/:
    
-
    
-
      
-
    • **wg0-blowfish.conf** - Routes all traffic through blowfish gateway (23.88.35.144)
      • 
-
    • **wg0-fishfinger.conf** - Routes all traffic through fishfinger gateway (46.23.94.99)
      • 
+
    • Future-proofing: Ready for IPv6-only services and networks
      • 
+
    • Compatibility: Dual-stack maintains full IPv4 compatibility
      • 
+
    • Learning: Hands-on experience with IPv6 networking
      • 
+
    • Flexibility: Roaming clients can access both IPv4 and IPv6 internet resources
      • 
 

    
-
    Configuration files for earth (laptop)

    
-
    
-Two separate configs in /home/paul/git/wireguardmeshgenerator/dist/earth/etc/wireguard/:
    
-
    
-
      
-
    • **wg0-blowfish.conf** - Routes all traffic through blowfish gateway
      • 
-
    • **wg0-fishfinger.conf** - Routes all traffic through fishfinger gateway
      • 
-

    
-
    Using manual failover on Android

    
-
    
-On the pixel7pro phone, import both QR codes using the WireGuard app to create two separate tunnel profiles:
    
-
    
-
-
    # Generate QR codes
-qrencode -t ansiutf8 < dist/pixel7pro/etc/wireguard/wg0-blowfish.conf
-qrencode -t ansiutf8 < dist/pixel7pro/etc/wireguard/wg0-fishfinger.conf
-
    
-
    
-In the WireGuard app, you can then manually enable/disable each tunnel to select which gateway to use. Only enable one tunnel at a time.
    
-
    
-
    Using manual failover on Linux

    
-
    
-On the earth laptop, copy both configs and use systemd to switch between them:
    
-
    
-
-
    # Install both configurations
-sudo cp dist/earth/etc/wireguard/wg0-blowfish.conf /etc/wireguard/
-sudo cp dist/earth/etc/wireguard/wg0-fishfinger.conf /etc/wireguard/
-
-# Start with blowfish gateway
-sudo systemctl start wg-quick@wg0-blowfish.service
-
-# To switch to fishfinger gateway
-sudo systemctl stop wg-quick@wg0-blowfish.service
-sudo systemctl start wg-quick@wg0-fishfinger.service
-
    
-
    
-This approach provides explicit control over which gateway handles roaming client traffic, useful when one gateway needs maintenance or experiences connectivity issues.
    
-
    
 
    Happy WireGuard-ing

    
 
    
 All is set up now. E.g. on f0:
    
@@ -10964,17 +10964,69 @@ peer: 2htXdNcxzpI2FdPDJy4T4VGtm1wpMEQu1AkQHjNY6F8=
 
    
 
    Managing Roaming Client Tunnels

    
 
    
-Since roaming clients like earth and pixel7pro connect on-demand rather than being always-on like the infrastructure hosts, it's useful to know how to start and stop the WireGuard tunnels.
    
+Since roaming clients like earth and pixel7pro connect on-demand rather than being always-on like the infrastructure hosts, it's useful to know how to configure and manage the WireGuard tunnels.
    
+
    
+
    Manual gateway failover configuration

    
+
    
+The default configuration for roaming clients includes both gateways (blowfish and fishfinger) with AllowedIPs = 0.0.0.0/0, ::/0. However, WireGuard doesn't automatically failover between multiple peers with identical AllowedIPs routes. When both gateways are configured this way, WireGuard uses the first peer with a recent handshake. If that gateway goes down, traffic won't automatically switch to the backup gateway.
    
+
    
+To enable manual failover, separate configuration files can be created for roaming clients (earth laptop and pixel7pro phone), each containing only a single gateway peer. This provides explicit control over which gateway handles traffic.
    
+
    
+Configuration files for pixel7pro (phone):
    
+
    
+Two separate configs in /home/paul/git/wireguardmeshgenerator/dist/pixel7pro/etc/wireguard/:
    
+
    
+
      
+
    • wg0-blowfish.conf - Routes all traffic through blowfish gateway (23.88.35.144)
      • 
+
    • wg0-fishfinger.conf - Routes all traffic through fishfinger gateway (46.23.94.99)
      • 
+

    
+Generate QR codes for importing into the WireGuard Android app:
    
+
    
+
+
    qrencode -t ansiutf8 < dist/pixel7pro/etc/wireguard/wg0-blowfish.conf
+qrencode -t ansiutf8 < dist/pixel7pro/etc/wireguard/wg0-fishfinger.conf
+
    
+
    
+Import both QR codes using the WireGuard app to create two separate tunnel profiles. You can then manually enable/disable each tunnel to select which gateway to use. Only enable one tunnel at a time.
    
+
    
+Configuration files for earth (laptop):
    
+
    
+Two separate configs in /home/paul/git/wireguardmeshgenerator/dist/earth/etc/wireguard/:
    
+
    
+
      
+
    • wg0-blowfish.conf - Routes all traffic through blowfish gateway
      • 
+
    • wg0-fishfinger.conf - Routes all traffic through fishfinger gateway
      • 
+

    
+Install both configurations:
    
+
    
+
+
    sudo cp dist/earth/etc/wireguard/wg0-blowfish.conf /etc/wireguard/
+sudo cp dist/earth/etc/wireguard/wg0-fishfinger.conf /etc/wireguard/
+
    
+
    
+This approach provides explicit control over which gateway handles roaming client traffic, useful when one gateway needs maintenance or experiences connectivity issues.
    
 
    
 
    Starting and stopping on earth (Fedora laptop)

    
 
    
-On the Fedora laptop, WireGuard is managed via systemd. Starting the tunnel:
    
+On the Fedora laptop, WireGuard is managed via systemd. Using the separate gateway configs:
    
 
    
 
-
    earth$ sudo systemctl start wg-quick@wg0.service
+
    # Start with blowfish gateway
+earth$ sudo systemctl start wg-quick@wg0-blowfish.service
+
+# Or start with fishfinger gateway
+earth$ sudo systemctl start wg-quick@wg0-fishfinger.service
+
+# Check tunnel status
 earth$ sudo wg show
 interface: wg0
   public key: Mc1CpSS3rbLN9A2w9c75XugQyXUkGPHKI2iCGbh8DRo=
@@ -10999,43 +11051,45 @@ peer: Xow+d3qVXgUMk4pcRSQ6Fe+vhYBa3VDyHX/4jrGoKns=
   persistent keepalive: every 25 seconds
 
    
 
    
-Stoppint the tunnel:
    
+Stopping the tunnel:
    
 
    
 
-
    earth$ sudo systemctl stop wg-quick@wg0.service
+
    earth$ sudo systemctl stop wg-quick@wg0-blowfish.service
+# Or if using fishfinger:
+earth$ sudo systemctl stop wg-quick@wg0-fishfinger.service
+
 earth$ sudo wg show
 # No output - WireGuard interface is down
 
    
 
    
-Checking the tunnel status:
    
+Switching between gateways:
    
 
    
 
-
    earth$ sudo systemctl status wg-quick@wg0.service
-● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
-     Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; disabled)
-     Active: active (exited) since Sun 2026-01-11 22:45:00 EET
+
    # Switch from blowfish to fishfinger
+earth$ sudo systemctl stop wg-quick@wg0-blowfish.service
+earth$ sudo systemctl start wg-quick@wg0-fishfinger.service
 
    
 
    
-The service remains disabled to prevent auto-start on boot, allowing manual control of when the VPN is active.
    
+The services remain disabled to prevent auto-start on boot, allowing manual control of when the VPN is active and which gateway to use.
    
 
    
 
    Starting and stopping on pixel7pro (Android phone)

    
 
    
-On Android using the official WireGuard app, tunnel management is like this:
    
+On Android using the official WireGuard app, you now have two tunnel profiles (wg0-blowfish and wg0-fishfinger) after importing the QR codes:
    
 
    
-Starting the tunnel:
    
+Starting a tunnel:
    
 
    
 
      
 
    • 1. Open the WireGuard app
      • 
-
    • 2. Tap the toggle switch next to the pixel7pro tunnel configuration
      • 
+
    • 2. Tap the toggle switch next to either wg0-blowfish or wg0-fishfinger tunnel configuration
      • 
 
    • 3. The switch turns blue/green and shows "Active"
      • 
 
    • 4. A key icon appears in the notification bar indicating VPN is active
      • 
-
    • 5. All traffic now routes through the VPN
      • 
+
    • 5. All traffic now routes through the selected gateway
      • 
 

    
 Stopping the tunnel:
    
 
    
@@ -11046,6 +11100,13 @@ http://www.gnu.org/software/src-highlite -->
 
  • 4. The notification bar key icon disappears
    • 
 
  • 5. Normal internet routing resumes
    • 
 
    
+Switching between gateways:
    
+
    
+
      
+
    • 1. Disable the currently active tunnel (e.g., wg0-blowfish)
      • 
+
    • 2. Enable the other tunnel (e.g., wg0-fishfinger)
      • 
+
    • Only enable one tunnel at a time
      • 
+

    
 Quick toggling from notification:
    
 
    
 
      
@@ -11075,7 +11136,7 @@ earth$ ping -c2 fishfinger.wg0
 earth$ curl https://ifconfig.me  # Should show gateway's public IP
 
    
 
    
-Check which gateway is active: The device will typically prefer one gateway (usually the first one with a successful handshake). To see which gateway is actively routing traffic, check the transfer statistics with sudo wg show on earth, or observe which gateway shows recent handshakes and increasing transfer bytes.
    
+Check which gateway is active: Check the transfer statistics with sudo wg show on earth to see which peer shows recent handshakes and increasing transfer bytes. On Android, the WireGuard app shows the active tunnel with data transfer statistics.
    
 
    
 
    Conclusion

    
 
    
-- 
cgit v1.2.3