this post was submitted on 29 Aug 2025
12 points (100.0% liked)

networking

3219 readers
10 users here now

Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.

founded 2 years ago
MODERATORS
manifex@sh.itjust.works
12
Need help with WireGuard load balancing (discuss.online)
submitted 2 weeks ago by jim3692@discuss.online to c/networking@sh.itjust.works
5 comments fedilink hide all child comments
 

Context

I have a WireGuard network, which consists of some VPSs, some in-premise servers (in different premises) and some user devices (like PCs, laptops and phones). All the servers are running Debian or NixOS.

Port forwarding is only possible in VPSs, as all other devices run behind NAT/CGNAT networks.

In the current configuration, all WireGuard traffic is going through a central VPS. So, every time I need to reboot it, the entire network collapses.

Goal

I want to share the WireGuard configuration between my VPSs, and load balance the traffic between them. Since I don't have a floating IP, I am probably going to add all VPSs IPs to a domain name and let the clients decide which VPS to use.

I don't want to have separate keys on each VPS, as this makes it more time consuming to onboard new devices. It's easier to add a single VPS key to each device, and have their keys in a single shared VPS config.

Problem

Is there any way to allow the communication of 2 devices/servers, that are connected to separate VPSs?

If it's necessary, one option is to sacrifice the communication between the user devices, and configure some additional layer(s) for the servers, like OSPF or VXLAN. However, even in this case, I need the servers to be plug'n'play. I wouldn't like to reconfigure the other servers, every time a server is added or removed to/from the network (except, of course, for the WireGuard key that would need to be added/removed in the VPSs).

Relying on external services, like Tailscale is not an option.

all 6 comments
sorted by: hot top controversial new old
[–] tvcvt@lemmy.ml 4 points 2 weeks ago (1 children)

I do this with self-hosted NetBird, but that’s not raw WireGuard. I’ve heard about a few projects that help set up mesh WireGuard topologies, but I haven’t used them directly:

Maybe those would be a good starting point for your own version.

[–] jim3692@discuss.online 2 points 2 weeks ago (1 children)

With NetBird, you rely on HTTPS load balancing, and p2p connections between the nodes?

[–] tvcvt@lemmy.ml 3 points 2 weeks ago (1 children)

Here’s the how it works doc for NetBird: https://docs.netbird.io/about-netbird/how-netbird-works.

It uses a signal server for establishing the initial connection and then makes p2p WireGuard tunnels.

Because of your question, I tested disabling the server, which I run on a VPS, and I could still reach all the connected hosts and routes. I didn’t think to try it at the time, but I’m guessing I wouldn’t be able to add new clients while the server is down.

[–] jim3692@discuss.online 2 points 2 weeks ago (1 children)

Self hosting NetBird looks like a valid option, given that it also provides clients for all platforms.

The wgmesh examples that you sent, although they look like interesting additions to Linux's wireguard, they are limited to Linux machines and I need a solution that supports mobile devices as well.

[–] tvcvt@lemmy.ml 3 points 2 weeks ago

I’ve been pretty happy with NetBird. Definitely worth testing