[egc]

I am using WireGuard as my preferred VPN at the moment and although it works very fast and good I once in a while have a server which is not responsive.

I am thinking about making a fail over setting for WireGuard so that you can designate a couple of servers in a fail over group.
If the first goes down the second one is started automatically etc.

OpenVPN has already such a thing but for WireGuard we have to make that ourselves

My question is, is there more interest for a something like this?

[tedm]

I only use VPN's where I have control of both sides. I'm lucky to live in a nation that does not require me to take steps to protect myself.

Your solution assumes that YOUR side is far more stable than the remote side, a situation that in my environment would be completely intolerable. I would continue digging until I had both sides as stable as the other.

But, IF I did live in a nation that had no concept of privacy, to where I HAD to use an outside VPN provider, then I guess the question I would have then is why would I tolerate paying for a Wireguard VPN provider that was unstable in the first place with unresponsive VPN servers?

I think I would tell that VPN provider I was going to take my money elsewhere to some other VPN provider who knew how to run VPN servers that stayed responsive.

To me, coming from an enterprise background, failover is something you do when you have a circuit that MUST STAY UP NO MATTER WHAT. And in that case you have to put failover into ALL parts of the setup.

I could see for example a setup where you had 2 dd-wrt routers, each running Wireguard, one plugged into BrandX ISP and the other plugged into BrandY ISP, and each speaking OSPF to the internal network, with 1 advertising a default GW the other not. The dd-wrt router on BrandX would be connected to VPN server #1, the dd-wrt router on BrandY would be connected to VPN server #2. If 1 of the VPN servers went down the dd-wrt routers would automatically shift the default GW advertisement to the working router.

That's failover to me. Not sure how you would implement it or if it's even possible - but if it wasn't possible that's the sort of thing I'd want to have. If I was using VPN services, that is.

[egc]

These are VPN providers with multiple server addresses, i use Mullvad at the moment and when connected to Stockholm you can choose 20 or so server addresses.
Of course this is a non enterprise setup with no SLA and 5 nines up time so once in a while a server is maybe too busy or down for maintenance or the server does just quit (these are non enterprise non sft systems)

Using OpenVPN you can run into the same problems but you can specify multiple remotes to mitigate this.

You are coming from an enterprise environment but we are talking about basic services, my vpn provider does not give me a call if the server goes down for maintenance

If this happens while I am away the family is toast so it might be useful if a different tunnel to a different provider/server is started automatically I think but you will not need it of course in your enterprise environment.

[tedm]

Ah yes, it's the "service is stable when components are considered as a group but individual components in the service are not stable" problem.

That also happens in the enterprise, too. Most commonly when you have a remote site that is like really, REALLY remote, like way up in the bushes where they think that newfangled CAT-4 networking cable is some mighty fine stuff..LOL And of course there's NO competition so getting telco redundancy is out of the question.

What Cisco does for this kind of a problem is you can define a process on the router that uses some reachability method, ping, http, whatever, to decide if a circuit is up or down. Circuit being anything from a VPN to an ethernet port that naturally never is ever in a "down" state.

I've gone down that rabbithole many times and never had much luck with it. It's amazing the creative ways ISP's come up with to screw things up.

What you might try in this setup is gonna sound really kludgy and hacky but it might work.

You take 2 dd-wrt routers a nice good primary one and a less good secondary one that is OK. You configure them identically, same internal and external IP addresses. One is configured to 1 VPN provider the other is configured to the other VPN provider.

You then insert a switch in between the Internet ports on both routers and the circuit to the ISP. Then on the LAN side you insert a second switch between both routers and the "inside" network.

Then you setup a DPDT switch (120v or 220v whichever you have) that switches power between 2 electrical outlets. Switch in 1 position 1 outlet is powered, switch in other position other outlet is powered.

Plug 1 router into 1 outlet the other into the other outlet and secure everything away from curious fingers except for the DPDT switch.

Family gets instructions "if the Internet goes down and I'm gone, flip the switch to turn on the backup router" (and at the same time turn OFF the primary router but they don't know that)

I've done tricks like this at some of these sites - put everything in a locked cabinet, router, dsl modem, etc. with the cord hanging out and plugged into an outlet, and instructions to the warehouse guys "if you cannot login, see that plug there, unplug it, wait 20 seconds, and plug it back in"

At one site it cut down cries for help close to half.