From: Samuel Holland <samuel@sholland.org>
To: "Ivan Labáth" <labawi-wg@matrix-dream.net>, pdub <pdub@pdub.net>
Cc: wireguard@lists.zx2c4.com
Subject: Re: WireGuard roaming behind a load balancer
Date: Wed, 16 Jan 2019 18:40:05 -0600 [thread overview]
Message-ID: <d66b2b95-ee36-ed16-b8fa-94edfe092478@sholland.org> (raw)
In-Reply-To: <20190117002100.GA24923@matrix-dream.net>
On 01/16/19 18:21, Ivan Labáth wrote:
> In your setup, where H,A,B are wg nodes, and
> (H)A - B
> is switched to
> (A)H - B
I assume here A and H are the active/hot-spare pair, and B is the remote node.
> B->HA traffic will be lost (considered junk) until either
>
> - B's timer expires and a B->H rekey is issued (maybe 10s of seconds?)
To be precise, this timer is 120 seconds from the last successful handshake.
> - H->B traffic and/or timer initiates a H->B rekey
>
> If HA can initate traffic to B, you may be able to rig a rekey soon,
> with a <1s outage, or even lossless in some circumstances, but you are
> going against the design of a host-to-host "stateless" vpn.
H can immediately send handshakes to all peers when it is brought up (and will
do so today if they have persistent keepalives set). But you need more than HA
being able to initiate traffic to B. B could have roamed to a new IP while it
was communicating with A. Then A would know about the new IP (because it
received an authenticated packet from there), but H would not.
So you need some way to stream endpoint updates between A and H. I'm not sure if
WireGuard's netlink has a way to push endpoint changes (that would be nice), but
you could at least poll netlink on the active host, and push netlink on the standby.
You could also extend the netlink interface with a way for userspace to request
a handshake on all peers. Then you could leave the interface up, and wouldn't
need any persistent keepalives.
> Real hot-standby HA VPNs with transparent lossless switching
> on the HA side usually share their ephemeral keys.
Sharing ephemeral keys would avoid the need for a new handshake at failover, but
that is very little benefit, since handshakes happen every couple of minutes
anyway. More importantly, sharing keys comes with the security risk of sending
your most sensitive data over the network. Anyone with those keys can decrypt
VPN traffic in real time.
Plus you *still* need the updated endpoint information to send packets from H to
B before B sends anything to AH, even if the session key is still valid. So I
highly recommend against attempting to extract the ephemeral keys from the kernel.
> Regards,
> Ivan
Cheers,
Samuel
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
next prev parent reply other threads:[~2019-01-17 0:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-15 16:45 WireGuard roaming behind a load balancer pdub
2019-01-16 18:44 ` John Huttley
2019-01-17 0:21 ` Ivan Labáth
2019-01-17 0:40 ` Samuel Holland [this message]
2019-01-17 11:54 ` Ivan Labáth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d66b2b95-ee36-ed16-b8fa-94edfe092478@sholland.org \
--to=samuel@sholland.org \
--cc=labawi-wg@matrix-dream.net \
--cc=pdub@pdub.net \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.