Wonder if anyone has come up with a solution to this problem.
background is I have 2 ISP connections, both of which hand out IPs using DHCP. Neither connection can be relied upon to provide a stable subnet (i.e. either subnet/gateway/ip will change without warning). I would like to use one connection as primary, and then the second connection as a backup while running my Internet over a Wireguard tunnel to a VPN server. In the event the first connection fails, the wireguard tunnel re-establishes over the secondary connection and there is minimal impact.
What I was thinking of doing was tying each ISP-facing interface into its own VRF, and then make a policy rule to lookup the default route in each VRF. I would then use a netwatch script to disable the primary policy route so that lookups would happen over the secondary ISP.
VRFs are all setup right, with the default routes being installed as expected, and I can ping out to the Internet with the policy lookups in place, however, the Wireguard tunnel itself doesn’t seem to run over the VRF.
If I put one of the ISPs in the main table, Wireguard comes up without issue. Is this expected behavior? Anything I can do to force Wireguard to run over the VRF?
The question is: do you really need the VRF’s?
Or you can with simpler different routing tables (fib)?
VRF’s can be tricky as some services might not work on them (as an example DNS is only partially working), and unless really really needed it is better to avoid them.
Another option is to create a second wireguard interface except this one is live all the time on wan2. Assuming you want a faster migration to a working VPN, then waiting for the router to tell the client hey my WANIP has changed use this one now.
VRF’s can be tricky as some services might not work on them (as an example DNS is only partially working), and unless really really needed it is better to avoid them.