* roaming and ddns dynamic ip
@ 2017-11-22 10:53 d tbsky
2017-11-22 11:59 ` Jason A. Donenfeld
0 siblings, 1 reply; 8+ messages in thread
From: d tbsky @ 2017-11-22 10:53 UTC (permalink / raw)
To: WireGuard mailing list
Hi:
I tried some setup for wireguard and found it may cause problem.
assume server has dynamic ip and has a static dns name
"ddns-server.example.com".
client.conf like below:
[Interface]
PrivateKey = ****
ListenPort = 51820
[Peer]
PublicKey = ****
Endpoint = ddns-server.example.com:51820
AllowedIPs = 0.0.0.0/0
if I use "wg setconf wg0 client.conf", then use "wg showconf wg0", result below:
[Interface]
ListenPort = 51820
PrivateKey = ****
[Peer]
PublicKey = ****
AllowedIPs = 0.0.0.0/0
Endpoint = 1.1.1.1:51820
the "ddns-server.example.com" has translate to ip "1.1.1.1".
if later "ddns-server.example.com" change ip to "2.2.2.2", I wonder if
wireguard will try to resolve "ddns-server.example.com" again? will
wireguard try to resolve "ddns-server.example.com" again when
connection is broken?
thanks a lot for help!!
Regards,
tbskyd
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: roaming and ddns dynamic ip
2017-11-22 10:53 roaming and ddns dynamic ip d tbsky
@ 2017-11-22 11:59 ` Jason A. Donenfeld
2017-11-22 12:51 ` d tbsky
0 siblings, 1 reply; 8+ messages in thread
From: Jason A. Donenfeld @ 2017-11-22 11:59 UTC (permalink / raw)
To: d tbsky; +Cc: WireGuard mailing list
Hello,
This is not a bug. DNS resolution is not done by the WireGuard module,
but rather by the configuration tool. If you want to update an IP,
you'll need to devise a mechanism for this. One popular one is this
example script:
https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns ,
but many other possibilities exist too.
Jason
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: roaming and ddns dynamic ip
2017-11-22 11:59 ` Jason A. Donenfeld
@ 2017-11-22 12:51 ` d tbsky
2017-11-22 13:14 ` Jason A. Donenfeld
2017-11-22 15:49 ` Lonnie Abelbeck
0 siblings, 2 replies; 8+ messages in thread
From: d tbsky @ 2017-11-22 12:51 UTC (permalink / raw)
To: Jason A. Donenfeld; +Cc: WireGuard mailing list
2017-11-22 19:59 GMT+08:00 Jason A. Donenfeld <Jason@zx2c4.com>:
> Hello,
>
> This is not a bug. DNS resolution is not done by the WireGuard module,
> but rather by the configuration tool. If you want to update an IP,
> you'll need to devise a mechanism for this. One popular one is this
> example script:
> https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns ,
> but many other possibilities exist too.
>
> Jason
I don't think it's a bug. as you said, that's by design.although it
means I need other tool to co-maintain the vpn connection.
if wireguard can be configured to disable roaming and always use the
static dns name as endpoint, maybe the problem can be solved
automatically. like openvpn can restart itself and resolve dns name
again when connection is broken.
but anyway I can live with the current situation. just need to figure
it out. thanks a lot for your clarification!
Regards,
tbskyd
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: roaming and ddns dynamic ip
2017-11-22 12:51 ` d tbsky
@ 2017-11-22 13:14 ` Jason A. Donenfeld
2017-11-22 15:49 ` Lonnie Abelbeck
1 sibling, 0 replies; 8+ messages in thread
From: Jason A. Donenfeld @ 2017-11-22 13:14 UTC (permalink / raw)
To: d tbsky; +Cc: WireGuard mailing list
On Wed, Nov 22, 2017 at 1:51 PM, d tbsky <tbskyd@gmail.com> wrote:
> I don't think it's a bug. as you said, that's by design.although it
> means I need other tool to co-maintain the vpn connection.
WireGuard is by design a building block. wg-quick is one possible tool
made out of the building block. The script I linked in the last email
is another. You might need to make another tool out of the building
block, which you could then open source.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: roaming and ddns dynamic ip
2017-11-22 12:51 ` d tbsky
2017-11-22 13:14 ` Jason A. Donenfeld
@ 2017-11-22 15:49 ` Lonnie Abelbeck
2017-11-22 16:00 ` d tbsky
1 sibling, 1 reply; 8+ messages in thread
From: Lonnie Abelbeck @ 2017-11-22 15:49 UTC (permalink / raw)
To: WireGuard mailing list
On Nov 22, 2017, at 6:51 AM, d tbsky <tbskyd@gmail.com> wrote:
> 2017-11-22 19:59 GMT+08:00 Jason A. Donenfeld <Jason@zx2c4.com>:
>> Hello,
>>=20
>> This is not a bug. DNS resolution is not done by the WireGuard =
module,
>> but rather by the configuration tool. If you want to update an IP,
>> you'll need to devise a mechanism for this. One popular one is this
>> example script:
>> https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns ,
>> but many other possibilities exist too.
>>=20
>> Jason
>=20
> I don't think it's a bug. as you said, that's by design.although it
> means I need other tool to co-maintain the vpn connection.
Jason, question, if each endpoint had PersistentKeepalive enabled, does =
that update the endpoint addresses via your roaming code ? Or does =
actual tunnel data traffic need to occur to update roaming endpoints ?
If PersistentKeepalive updates roaming endpoints, then it would seem to =
be a very rare situation when both endpoints had an address change =
within the PersistentKeepalive window.
Lonnie
=20
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: roaming and ddns dynamic ip
2017-11-22 15:49 ` Lonnie Abelbeck
@ 2017-11-22 16:00 ` d tbsky
2017-11-22 16:39 ` Matthias Urlichs
2017-11-22 17:28 ` Bruno Wolff III
0 siblings, 2 replies; 8+ messages in thread
From: d tbsky @ 2017-11-22 16:00 UTC (permalink / raw)
To: Lonnie Abelbeck; +Cc: WireGuard mailing list
2017-11-22 23:49 GMT+08:00 Lonnie Abelbeck <lists@lonnie.abelbeck.com>:
>
> On Nov 22, 2017, at 6:51 AM, d tbsky <tbskyd@gmail.com> wrote:
>
>> 2017-11-22 19:59 GMT+08:00 Jason A. Donenfeld <Jason@zx2c4.com>:
>>> Hello,
>>>
>>> This is not a bug. DNS resolution is not done by the WireGuard module,
>>> but rather by the configuration tool. If you want to update an IP,
>>> you'll need to devise a mechanism for this. One popular one is this
>>> example script:
>>> https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns ,
>>> but many other possibilities exist too.
>>>
>>> Jason
>>
>> I don't think it's a bug. as you said, that's by design.although it
>> means I need other tool to co-maintain the vpn connection.
>
> Jason, question, if each endpoint had PersistentKeepalive enabled, does that update the endpoint addresses via your roaming code ? Or does actual tunnel data traffic need to occur to update roaming endpoints ?
>
> If PersistentKeepalive updates roaming endpoints, then it would seem to be a very rare situation when both endpoints had an address change within the PersistentKeepalive window.
>
> Lonnie
when client is behind firewall via nat to internet, and server has
dynamic ip, I don't think keepalive will help. since the changed
server can not connect to client, it needs client to initial the
connection. under openvpn, keepalive can detect broken link and try to
restart itself, then client can reconnect to server automatically.
but if both site has public ip, maybe wireguard keepalive can do the work?
Regards,
tbskyd
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: roaming and ddns dynamic ip
2017-11-22 16:00 ` d tbsky
@ 2017-11-22 16:39 ` Matthias Urlichs
2017-11-22 17:28 ` Bruno Wolff III
1 sibling, 0 replies; 8+ messages in thread
From: Matthias Urlichs @ 2017-11-22 16:39 UTC (permalink / raw)
To: wireguard
On 22.11.2017 17:00, d tbsky wrote:
> when client is behind firewall via nat to internet, and server has
> dynamic ip, I don't think keepalive will help. since the changed
> server can not connect to client, it needs client to initial the
> connection. under openvpn, keepalive can detect broken link and try to
> restart itself, then client can reconnect to server automatically.
That situation calls for userspace (on the client) to monitor the
connection and update the peer address, if it changed.
The kernel side's job would be to be sufficiently monitor-able via
netlink – polling is evil – so that a userspace tool can actually do this.
--
-- Matthias Urlichs
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: roaming and ddns dynamic ip
2017-11-22 16:00 ` d tbsky
2017-11-22 16:39 ` Matthias Urlichs
@ 2017-11-22 17:28 ` Bruno Wolff III
1 sibling, 0 replies; 8+ messages in thread
From: Bruno Wolff III @ 2017-11-22 17:28 UTC (permalink / raw)
To: d tbsky; +Cc: WireGuard mailing list
On Thu, Nov 23, 2017 at 00:00:51 +0800,
d tbsky <tbskyd@gmail.com> wrote:
>
>when client is behind firewall via nat to internet, and server has
>dynamic ip, I don't think keepalive will help. since the changed
>server can not connect to client, it needs client to initial the
>connection. under openvpn, keepalive can detect broken link and try to
>restart itself, then client can reconnect to server automatically.
If both sides are using keep alives it could help. It won't work if both sides
change IP addresses between keep alives. And if the client is turned off
when the server changes IP addresses that is going to apply.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-11-22 17:25 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-22 10:53 roaming and ddns dynamic ip d tbsky
2017-11-22 11:59 ` Jason A. Donenfeld
2017-11-22 12:51 ` d tbsky
2017-11-22 13:14 ` Jason A. Donenfeld
2017-11-22 15:49 ` Lonnie Abelbeck
2017-11-22 16:00 ` d tbsky
2017-11-22 16:39 ` Matthias Urlichs
2017-11-22 17:28 ` Bruno Wolff III
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.