| > Are you sure what you described works? Last I tried it didn't work, and this is explicitly stated on wireguard.com: If we're talking simply about decoupling routing from AllowedIPs, yes, using that right now and set it up several times. For redundant routers, see below. > > In other words, when sending packets, the list of allowed IPs behaves as a sort of routing table This does seem in conflict with my understanding... Depending on exactly what devil-details go into that "sort of", of course. Not deep enough into it to tell you, though. > Which is, I believe, also why zx2c4 called to revert the whole systemd-networkd feature. Rather the opposite AIUI; To allow for setting routes explicitly (which introducing the wg-quick behavior broke[0]). What started making it click for me was this ArchWiki section[1]. The discussion under this GH issue may also provide some pointers[2]. Also [3]. IIRC I did get multiple outbound redundant routers with failover in the end. There may be WG-specific gremlins I glanced over but ascribed it to not fully grokking the Linux IP stack and issues with *tables in general at the time - the goal I had is hairy enough without Wireguard in the mix. Please report back here on your progress if you have the time :) [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003955 [1]: https://wiki.archlinux.org/title/WireGuard#systemd-networkd:... [2]: https://github.com/systemd/systemd/issues/14176 [3]: https://www.eisfunke.com/article/docker-wireguard-systemd.ht... ----- EDIT: Went back to take a look and I never did get proper HA routing sorted - ended up "solving" it with a script regularly checking reachability and bringing routes up/down accordingly. No need to bring the actual WG interfaces or IP assignments up/down for that, though. |