All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Ivan Labáth" <labawi-wg@matrix-dream.net>
To: pdub <pdub@pdub.net>
Cc: wireguard@lists.zx2c4.com
Subject: Re: WireGuard roaming behind a load balancer
Date: Thu, 17 Jan 2019 00:21:00 +0000	[thread overview]
Message-ID: <20190117002100.GA24923@matrix-dream.net> (raw)
In-Reply-To: <CABbM=Lk6WQGctp7Z3YBYBcq9CKwRn-KWC-e8DeHxvYF+Cda8Og@mail.gmail.com>

Hi,

Wireguard isn't completely stateless. It has connections and state,
even though it is comparably small and transient.

Wireguard roaming supports changing IPs. An authenticated
packet updates the ip and all works well. Changing hosts requires
a rekey (to re-establish transient keys), and that won't be
automatically triggered by unauthenticated gibberish, so plain
switching won't work immediately.

If you don't mind a relatively short outage when switching,
it should work fine.


In your setup, where H,A,B are wg nodes, and
  (H)A - B
is switched to
  (A)H - B

B->HA traffic will be lost (considered junk) until either

 - B's timer expires and a B->H rekey is issued (maybe 10s of seconds?)
 - H->B traffic and/or timer initiates a H->B rekey

If HA can initate traffic to B, you may be able to rig a rekey soon,
with a <1s outage, or even lossless in some circumstances, but you are
going against the design of a host-to-host "stateless" vpn.

Real hot-standby HA VPNs with transparent lossless switching
on the HA side usually share their ephemeral keys.

Regards,
Ivan
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

  parent reply	other threads:[~2019-01-17  0:20 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-15 16:45 WireGuard roaming behind a load balancer pdub
2019-01-16 18:44 ` John Huttley
2019-01-17  0:21 ` Ivan Labáth [this message]
2019-01-17  0:40   ` Samuel Holland
2019-01-17 11:54     ` Ivan Labáth

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190117002100.GA24923@matrix-dream.net \
    --to=labawi-wg@matrix-dream.net \
    --cc=pdub@pdub.net \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.