Skip to main content

Dual Tunnel Redundancy

Dual tunnel redundancy creates two parallel encrypted tunnels between each pair of peering members. If one tunnel fails, traffic continues to flow over the other, providing resilience against link failures. Dual tunnel works with both WireGuard and IPSec tunnel protocols.

Redundancy Modes

Active-Standby

The primary tunnel (wg2) carries all traffic under normal conditions. The secondary tunnel (wg3) remains established but idle. If the primary tunnel fails, traffic automatically shifts to the secondary.

  • BGP local_pref is used to prefer the primary tunnel's routes.
  • When the primary tunnel recovers, traffic shifts back to it.
  • Best for: predictable traffic paths with automatic failover.

Active-Active

Both tunnels carry traffic simultaneously. Traffic is load-balanced across the primary (wg2) and secondary (wg3) tunnels.

  • Provides both redundancy and increased aggregate bandwidth between sites.
  • If one tunnel fails, all traffic converges onto the remaining tunnel.
  • When the failed tunnel recovers, traffic rebalances across both.
  • Best for: high-bandwidth links where you want to use both paths.
tip

Active-Active provides higher aggregate throughput between sites but requires that your network supports symmetric routing. If you are unsure, start with Active-Standby -- it is simpler and works in all environments.

How Failover Works

Failover depends on BFD and BGP working together:

  1. BFD monitors both tunnels with sub-second health checks.
  2. When BFD detects a tunnel failure, it notifies BGP immediately.
  3. BGP withdraws routes for the failed tunnel.
  4. Traffic shifts to the remaining healthy tunnel.
  5. When the failed tunnel recovers, BFD detects the recovery and BGP re-advertises routes.
  6. In Active-Standby, traffic returns to the primary tunnel. In Active-Active, traffic rebalances across both tunnels.
info

BFD is strongly recommended for dual tunnel configurations. Without BFD, failover relies solely on BGP keepalive timers, which can take 90 seconds or more to detect a failure. With BFD, detection happens in under a second.

WAN Interface Binding

For maximum resilience, the primary and secondary tunnels can be bound to different WAN interfaces on the edge. This protects against a single WAN link failure:

  • Primary tunnel: Uses the WAN interface selected when adding the member.
  • Secondary tunnel: Can use a different WAN port.

If both tunnels use the same WAN interface, you are protected against tunnel-level failures but not against the WAN link itself going down.

IPSec Dual Tunnel

For IPSec peerings, each tunnel in a dual tunnel pair has its own set of Security Associations (SAs) with independent keys and SPIs. Rekeying applies to both tunnels simultaneously.

Configuration

Dual tunnel is configured at the peering group level -- all member pairs in the group use the same redundancy mode.

To enable dual tunnels:

  1. When creating a new peering, set Redundancy Mode to Active-Standby or Active-Active.
  2. Specify a Secondary Tunnel Subnet (must differ from the primary subnet).
  3. Specify a Secondary Listen Port (must differ from the primary port).

You can also change the redundancy mode on an existing peering by editing the peering configuration.

warning

Changing the redundancy mode on a live peering group triggers a configuration update to all members. Tunnels will briefly reconverge. Plan this change during a maintenance window.