From 857553d40033b57b8bcabc51dbe7e13095c8f71c Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sat, 17 Jan 2026 00:11:46 +0200 Subject: Reorder roaming client section: configuration before usage Restructured "Managing Roaming Client Tunnels" section to follow a more logical flow: 1. First: Manual gateway failover configuration (create the configs) - Configuration files for pixel7pro (QR codes) - Configuration files for earth (systemd services) 2. Then: Usage instructions - Starting/stopping on earth (using the configured services) - Starting/stopping on pixel7pro (using the imported profiles) - Verifying connectivity This "configure first, then use" approach is more intuitive than the previous order where usage instructions came before explaining the failover configuration. Co-Authored-By: Claude Sonnet 4.5 --- ...5-11-f3s-kubernetes-with-freebsd-part-5.gmi.tpl | 135 +++++++++++---------- 1 file changed, 68 insertions(+), 67 deletions(-) (limited to 'gemfeed') diff --git a/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.gmi.tpl b/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.gmi.tpl index f322aaa8..f8249c0c 100644 --- a/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.gmi.tpl +++ b/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.gmi.tpl @@ -1249,14 +1249,58 @@ peer: 2htXdNcxzpI2FdPDJy4T4VGtm1wpMEQu1AkQHjNY6F8= ## Managing Roaming Client Tunnels -Since roaming clients like `earth` and `pixel7pro` connect on-demand rather than being always-on like the infrastructure hosts, it's useful to know how to start and stop the WireGuard tunnels. +Since roaming clients like `earth` and `pixel7pro` connect on-demand rather than being always-on like the infrastructure hosts, it's useful to know how to configure and manage the WireGuard tunnels. + +### Manual gateway failover configuration + +The default configuration for roaming clients includes both gateways (blowfish and fishfinger) with `AllowedIPs = 0.0.0.0/0, ::/0`. However, WireGuard doesn't automatically failover between multiple peers with identical `AllowedIPs` routes. When both gateways are configured this way, WireGuard uses the first peer with a recent handshake. If that gateway goes down, traffic won't automatically switch to the backup gateway. + +To enable manual failover, separate configuration files can be created for roaming clients (earth laptop and pixel7pro phone), each containing only a single gateway peer. This provides explicit control over which gateway handles traffic. + +#### Configuration files for pixel7pro (phone) + +Two separate configs in `/home/paul/git/wireguardmeshgenerator/dist/pixel7pro/etc/wireguard/`: + +* **wg0-blowfish.conf** - Routes all traffic through blowfish gateway (23.88.35.144) +* **wg0-fishfinger.conf** - Routes all traffic through fishfinger gateway (46.23.94.99) + +Generate QR codes for importing into the WireGuard Android app: + +```sh +qrencode -t ansiutf8 < dist/pixel7pro/etc/wireguard/wg0-blowfish.conf +qrencode -t ansiutf8 < dist/pixel7pro/etc/wireguard/wg0-fishfinger.conf +``` + +Import both QR codes using the WireGuard app to create two separate tunnel profiles. You can then manually enable/disable each tunnel to select which gateway to use. Only enable one tunnel at a time. + +#### Configuration files for earth (laptop) + +Two separate configs in `/home/paul/git/wireguardmeshgenerator/dist/earth/etc/wireguard/`: + +* **wg0-blowfish.conf** - Routes all traffic through blowfish gateway +* **wg0-fishfinger.conf** - Routes all traffic through fishfinger gateway + +Install both configurations: + +```sh +sudo cp dist/earth/etc/wireguard/wg0-blowfish.conf /etc/wireguard/ +sudo cp dist/earth/etc/wireguard/wg0-fishfinger.conf /etc/wireguard/ +``` + +This approach provides explicit control over which gateway handles roaming client traffic, useful when one gateway needs maintenance or experiences connectivity issues. ### Starting and stopping on earth (Fedora laptop) -On the Fedora laptop, WireGuard is managed via systemd. Starting the tunnel: +On the Fedora laptop, WireGuard is managed via systemd. Using the separate gateway configs: ```sh -earth$ sudo systemctl start wg-quick@wg0.service +# Start with blowfish gateway +earth$ sudo systemctl start wg-quick@wg0-blowfish.service + +# Or start with fishfinger gateway +earth$ sudo systemctl start wg-quick@wg0-fishfinger.service + +# Check tunnel status earth$ sudo wg show interface: wg0 public key: Mc1CpSS3rbLN9A2w9c75XugQyXUkGPHKI2iCGbh8DRo= @@ -1281,36 +1325,38 @@ peer: Xow+d3qVXgUMk4pcRSQ6Fe+vhYBa3VDyHX/4jrGoKns= persistent keepalive: every 25 seconds ``` -Stoppint the tunnel: +Stopping the tunnel: ```sh -earth$ sudo systemctl stop wg-quick@wg0.service +earth$ sudo systemctl stop wg-quick@wg0-blowfish.service +# Or if using fishfinger: +earth$ sudo systemctl stop wg-quick@wg0-fishfinger.service + earth$ sudo wg show # No output - WireGuard interface is down ``` -Checking the tunnel status: +Switching between gateways: ```sh -earth$ sudo systemctl status wg-quick@wg0.service -● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0 - Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; disabled) - Active: active (exited) since Sun 2026-01-11 22:45:00 EET +# Switch from blowfish to fishfinger +earth$ sudo systemctl stop wg-quick@wg0-blowfish.service +earth$ sudo systemctl start wg-quick@wg0-fishfinger.service ``` -The service remains `disabled` to prevent auto-start on boot, allowing manual control of when the VPN is active. +The services remain `disabled` to prevent auto-start on boot, allowing manual control of when the VPN is active and which gateway to use. ### Starting and stopping on pixel7pro (Android phone) -On Android using the official WireGuard app, tunnel management is like this: +On Android using the official WireGuard app, you now have two tunnel profiles (wg0-blowfish and wg0-fishfinger) after importing the QR codes: -Starting the tunnel: +Starting a tunnel: * 1. Open the WireGuard app -* 2. Tap the toggle switch next to the `pixel7pro` tunnel configuration +* 2. Tap the toggle switch next to either `wg0-blowfish` or `wg0-fishfinger` tunnel configuration * 3. The switch turns blue/green and shows "Active" * 4. A key icon appears in the notification bar indicating VPN is active -* 5. All traffic now routes through the VPN +* 5. All traffic now routes through the selected gateway Stopping the tunnel: @@ -1320,6 +1366,12 @@ Stopping the tunnel: * 4. The notification bar key icon disappears * 5. Normal internet routing resumes +Switching between gateways: + +* 1. Disable the currently active tunnel (e.g., wg0-blowfish) +* 2. Enable the other tunnel (e.g., wg0-fishfinger) +* Only enable one tunnel at a time + Quick toggling from notification: * Pull down the notification shade @@ -1344,58 +1396,7 @@ earth$ ping -c2 fishfinger.wg0 earth$ curl https://ifconfig.me # Should show gateway's public IP ``` -Check which gateway is active: The device will typically prefer one gateway (usually the first one with a successful handshake). To see which gateway is actively routing traffic, check the transfer statistics with `sudo wg show` on earth, or observe which gateway shows recent handshakes and increasing transfer bytes. - -### Manual gateway failover - -The default configuration for roaming clients includes both gateways (blowfish and fishfinger) with `AllowedIPs = 0.0.0.0/0, ::/0`. However, WireGuard doesn't automatically failover between multiple peers with identical `AllowedIPs` routes. When both gateways are configured this way, WireGuard uses the first peer with a recent handshake. If that gateway goes down, traffic won't automatically switch to the backup gateway. - -To enable manual failover, separate configuration files can be created for roaming clients (earth laptop and pixel7pro phone), each containing only a single gateway peer. This provides explicit control over which gateway handles traffic. - -#### Configuration files for pixel7pro (phone) - -Two separate configs in `/home/paul/git/wireguardmeshgenerator/dist/pixel7pro/etc/wireguard/`: - -* **wg0-blowfish.conf** - Routes all traffic through blowfish gateway (23.88.35.144) -* **wg0-fishfinger.conf** - Routes all traffic through fishfinger gateway (46.23.94.99) - -#### Configuration files for earth (laptop) - -Two separate configs in `/home/paul/git/wireguardmeshgenerator/dist/earth/etc/wireguard/`: - -* **wg0-blowfish.conf** - Routes all traffic through blowfish gateway -* **wg0-fishfinger.conf** - Routes all traffic through fishfinger gateway - -#### Using manual failover on Android - -On the pixel7pro phone, import both QR codes using the WireGuard app to create two separate tunnel profiles: - -```sh -# Generate QR codes -qrencode -t ansiutf8 < dist/pixel7pro/etc/wireguard/wg0-blowfish.conf -qrencode -t ansiutf8 < dist/pixel7pro/etc/wireguard/wg0-fishfinger.conf -``` - -In the WireGuard app, you can then manually enable/disable each tunnel to select which gateway to use. Only enable one tunnel at a time. - -#### Using manual failover on Linux - -On the earth laptop, copy both configs and use systemd to switch between them: - -```sh -# Install both configurations -sudo cp dist/earth/etc/wireguard/wg0-blowfish.conf /etc/wireguard/ -sudo cp dist/earth/etc/wireguard/wg0-fishfinger.conf /etc/wireguard/ - -# Start with blowfish gateway -sudo systemctl start wg-quick@wg0-blowfish.service - -# To switch to fishfinger gateway -sudo systemctl stop wg-quick@wg0-blowfish.service -sudo systemctl start wg-quick@wg0-fishfinger.service -``` - -This approach provides explicit control over which gateway handles roaming client traffic, useful when one gateway needs maintenance or experiences connectivity issues. +Check which gateway is active: Check the transfer statistics with `sudo wg show` on earth to see which peer shows recent handshakes and increasing transfer bytes. On Android, the WireGuard app shows the active tunnel with data transfer statistics. ## Conclusion -- cgit v1.2.3