WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Status of Bird<->wireguard integration
@ 2019-08-17 13:55 Nico Schottelius
  2019-08-25 19:36 ` Justin Kilpatrick
  0 siblings, 1 reply; 2+ messages in thread
From: Nico Schottelius @ 2019-08-17 13:55 UTC (permalink / raw)
  To: WireGuard mailing list


Hello again,

I was wondering what the status is of the integration of wireguard into
bird and whether there is any help needed?

I am wondering, because integrating wireguard into bird would easily
allow to create wireguard server clusters that would announce only the
connected clients via BGP:

client
  | \               |
  | --------------- |
server1              server2
[wireguard+bird]     [wireguard+bird]
  \                   /
  BGP               BGP
   -------- | -------
            |
     upstream router

This would not only to easily create any number of failover VPN
endpoints, but also allowing to easily implement load balancing.

Best regards,

Nico

--
Your Swiss, Open Source and IPv6 Virtual Machine. Now on www.datacenterlight.ch.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Status of Bird<->wireguard integration
  2019-08-17 13:55 Status of Bird<->wireguard integration Nico Schottelius
@ 2019-08-25 19:36 ` Justin Kilpatrick
  0 siblings, 0 replies; 2+ messages in thread
From: Justin Kilpatrick @ 2019-08-25 19:36 UTC (permalink / raw)
  To: wireguard

I run a Babel/Wireguard combo which is pretty similar to what your imagining. I have an implemented and (somewhat) working solution to do what you describe that's currently in production. 

Wireguard in it's current form can not do fast fail-over in a practical way. This isn't really WireGuard's fault so mach as it is a consequence of the security model.

Imagine for a moment you have two WireGuard servers and a client. Exactly like your ASSCI example. The client determines that it's connection to server 1 is degraded or otherwise failed and starts directing packets to server 2. 

Since the client has a valid handshake with server 1, it's sending packets symmetricly encrypted with a key server 2 does not have. All packets get discarded until the handshake expires a minute later and is renegotiated with server 2. 

Obviously this makes the clients very unhappy. 

I'm not familiar enough with the cryptography design of WireGuard to really comment on a good solution. Ideally the server could recognize this situation and do an immediate handshake without compromising security. 

-- 
  Justin Kilpatrick
  justin@althea.net

On Sun, Aug 25, 2019, at 11:48 AM, Nico Schottelius wrote:
> 
> Hello again,
> 
> I was wondering what the status is of the integration of wireguard into
> bird and whether there is any help needed?
> 
> I am wondering, because integrating wireguard into bird would easily
> allow to create wireguard server clusters that would announce only the
> connected clients via BGP:
> 
> client
>   | \               |
>   | --------------- |
> server1              server2
> [wireguard+bird]     [wireguard+bird]
>   \                   /
>   BGP               BGP
>    -------- | -------
>             |
>      upstream router
> 
> This would not only to easily create any number of failover VPN
> endpoints, but also allowing to easily implement load balancing.
> 
> Best regards,
> 
> Nico
> 
> --
> Your Swiss, Open Source and IPv6 Virtual Machine. Now on www.datacenterlight.ch.
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-17 13:55 Status of Bird<->wireguard integration Nico Schottelius
2019-08-25 19:36 ` Justin Kilpatrick

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git