Wireguard port 443 authentication fails with load balancing


I noticed that the wireguard authentication needs to talk to the specific host which the server resides on otherwise it just fails on the connection immediately. In our HA Proxy LB setup I had to change this from a round robin for load balancing to a failover setup so that the wireguard 443 port spoke only to the correct host.

Is there a way to deal with this so the load balancing can continue to be used?


There shouldn’t be any limitations with load balancing. The Pritunl client will select a random host and send a HTTPS request for authentication. Even if this request gets forwarded to a different host the host that handles the request will return it’s own public address and the client will then connect to that address.

The host public address should always be set to the public IP or DNS name of that host. To forward web requests to a load balancer set the sync address in the advanced host settings to the load balancer DNS name.

If a load balancer is going to be used the server must be configured with a replication count matching the number of hosts attached so that all hosts are online to receive the request.

Once a WireGuard connection is established HTTPS keep alive requests are sent to the virtual VPN IP of the Pritunl server regardless of the configuration.

I have set the replication count, removed the bind ip, and attached the additional hosts to the server. The handshake still fails in this setup.

I have also applied the stickiness to the HA proxy config to maintain the same host though out the session. I am also trying the keep-alive option in HAProxy as well.

There is no session and there are no long running requests that require HTTP keep-alive. It’s one request that returns an encrypted connection configuration which includes the public address of the host. If single sign-on connection authentication is used that process involves multiple requests but it will work if the host is switched between these requests. After this there is no interaction with the load balancer. The requests sent while the connection is active are sent over the VPN directly to the host.

Ok, so I have removed the http-keep-alive.

So the wireguard still fails on the handshake. I am exploring to make sure it is not FW related but I have gone as far as turning it pretty much off.

Also, interestingly… when I have the additional hosts attached, the replication set to the number of hosts and remove the bind address- I can no longer connect using openvpn until I reverse it all back to a single host and input teh bind address again.