imagine you would want to share 0.0.0.0/0 from hub site - meaning that all clients connected to spokes networks would route through central hub for default gateway. How would this be done in wireguard/ospf - i would guess that adding only a host specific route for the hub's on the spokes, instead of default route, and adding a redistribute statics on the hub should solve this? is this possible? oh, and awesome video, i really liked it - very good explanations, though i think i need to revisit the 2 wg interfaces part ... cause that eluded me why that was necessary (i zooned out here).
The topology is different from the three node wireguard site to site vlog where all three nodes were connected in a complete mesh. What is the purpose of the hub box sitting between the two nodes? I was expecting to see dynamic routing added to that topology vs. the hard coded static routing within WireGuard.
Hi! This video shows a hub and spoke topology - where there's a central hub and all remote sites (spokes) connect back to that central hub. Like a main office and branches. In this example if you add a new network to the hub (or the remote branch) it's injected into OSPF. You are absolutely right about the potential of OSPF in a mesh topology. I don't have such video but I'll think about it.
WireGuard is awesome but by design broken links don't bring the interface down which would allow easy static route failover. At least that's what I've discovered.
Hi! You are absolutely right. However for simple scenarios you can create a script that periodically checks the tunnel's health (for example by pinging a host on the other side) and replace the route. If you ever worked with Mikrotik routers they have this functionality built in (enable/disable route based on ping result). Another approach is to use a dynamic routing protocol like OSPF or BGP. I might create a video on that topic (like a redundant link w ECMP and automatic failover etc.). Cheers!
@@LinuxCloudHacks Yesterday I removed all hardcoded routes and added OSPF to the mix, still no redundancy yet. (bird with BGP+OSPF at vultr announcing my subnet, wireguard tunnel to a local VM running OSPF with Bird and acting as a router for the public subnet (on an isolated vlan). 🙂 Next step is probably adding VRRP to the mix.
So you have 2 WG tunnels between your local VM and your cloud VM and running OSPF on top of that? And then you want to setup it so if one tunnel goes does the other does not take over? I've done that numerous times when a routes has 2xWAN, it establishes 2 tunnels (one tunnel over each WAN) and if a single WAN goes down the other tunnel takes over. Unless that's not what you want.
@@LinuxCloudHacks Yes, kind of. In the end I will have 2 VPS running BGP in the cloud in different locations, announcing the network (works with vultr quite nice). Both will be connected using WG tunnels to 2 virtual machines running locally in my Proxmox cluster at home acting as access/colo routers. On both of that local routing VMs, OSPF is working already, but not fine-tuned. My unsolved issue is providing a failover/HA configuration for other local machines. They can only have one default gateway (= one router VM). If that VM is down, they are unreachable. I don't want to run OSPF on all that connected servers, they should not have any access to the routing infrastructure, just get their network configuration as a black box that works.
Just setup a floating IP acting as a default gateway on keepaliveD. Once this is working look at keepaliveD state syncrhonization as LVS allows you to synchronise TCP connection state so you can do transparent failover (no connections lost while single gateway goes down). I've played with it and it works (was even planning to create video about it).
Great lesson! Thanks. But I am not able to configure md5 authentication between bird2 and Mikrotik: password "SecreTPassword" { id 5; }; authentication cryptographic; Or password "SecreTPassword" { id 5; algorythm keyed md5; }; authentication cryptographic; Don’t work( ------------------ I found the problem - ID is Auth. ID ))))
imagine you would want to share 0.0.0.0/0 from hub site - meaning that all clients connected to spokes networks would route through central hub for default gateway.
How would this be done in wireguard/ospf -
i would guess that adding only a host specific route for the hub's on the spokes, instead of default route, and adding a redistribute statics on the hub should solve this? is this possible?
oh, and awesome video, i really liked it - very good explanations, though i think i need to revisit the 2 wg interfaces part ... cause that eluded me why that was necessary (i zooned out here).
Absolutely brilliant!! Great job
Thank you very much!
The topology is different from the three node wireguard site to site vlog where all three nodes were connected in a complete mesh.
What is the purpose of the hub box sitting between the two nodes?
I was expecting to see dynamic routing added to that topology vs. the hard coded static routing within WireGuard.
Hi! This video shows a hub and spoke topology - where there's a central hub and all remote sites (spokes) connect back to that central hub. Like a main office and branches. In this example if you add a new network to the hub (or the remote branch) it's injected into OSPF. You are absolutely right about the potential of OSPF in a mesh topology. I don't have such video but I'll think about it.
WireGuard is awesome but by design broken links don't bring the interface down which would allow easy static route failover. At least that's what I've discovered.
Hi! You are absolutely right. However for simple scenarios you can create a script that periodically checks the tunnel's health (for example by pinging a host on the other side) and replace the route. If you ever worked with Mikrotik routers they have this functionality built in (enable/disable route based on ping result). Another approach is to use a dynamic routing protocol like OSPF or BGP. I might create a video on that topic (like a redundant link w ECMP and automatic failover etc.). Cheers!
@@LinuxCloudHacks Yesterday I removed all hardcoded routes and added OSPF to the mix, still no redundancy yet. (bird with BGP+OSPF at vultr announcing my subnet, wireguard tunnel to a local VM running OSPF with Bird and acting as a router for the public subnet (on an isolated vlan). 🙂 Next step is probably adding VRRP to the mix.
So you have 2 WG tunnels between your local VM and your cloud VM and running OSPF on top of that? And then you want to setup it so if one tunnel goes does the other does not take over? I've done that numerous times when a routes has 2xWAN, it establishes 2 tunnels (one tunnel over each WAN) and if a single WAN goes down the other tunnel takes over. Unless that's not what you want.
@@LinuxCloudHacks Yes, kind of. In the end I will have 2 VPS running BGP in the cloud in different locations, announcing the network (works with vultr quite nice). Both will be connected using WG tunnels to 2 virtual machines running locally in my Proxmox cluster at home acting as access/colo routers. On both of that local routing VMs, OSPF is working already, but not fine-tuned. My unsolved issue is providing a failover/HA configuration for other local machines. They can only have one default gateway (= one router VM). If that VM is down, they are unreachable. I don't want to run OSPF on all that connected servers, they should not have any access to the routing infrastructure, just get their network configuration as a black box that works.
Just setup a floating IP acting as a default gateway on keepaliveD. Once this is working look at keepaliveD state syncrhonization as LVS allows you to synchronise TCP connection state so you can do transparent failover (no connections lost while single gateway goes down). I've played with it and it works (was even planning to create video about it).
Great lesson!
Thanks.
But I am not able to configure md5 authentication between bird2 and Mikrotik:
password "SecreTPassword" {
id 5;
};
authentication cryptographic;
Or
password "SecreTPassword" {
id 5;
algorythm keyed md5;
};
authentication cryptographic;
Don’t work(
------------------
I found the problem - ID is Auth. ID ))))
Great! Back in the days indeed there was such issue but they did fixed it.
+1
Thanks!