* Status of Bird<->wireguard integration
@ 2019-08-17 13:55 Nico Schottelius
2019-08-25 19:36 ` Justin Kilpatrick
0 siblings, 1 reply; 2+ messages in thread
From: Nico Schottelius @ 2019-08-17 13:55 UTC (permalink / raw)
To: WireGuard mailing list
Hello again,
I was wondering what the status is of the integration of wireguard into
bird and whether there is any help needed?
I am wondering, because integrating wireguard into bird would easily
allow to create wireguard server clusters that would announce only the
connected clients via BGP:
client
| \ |
| --------------- |
server1 server2
[wireguard+bird] [wireguard+bird]
\ /
BGP BGP
-------- | -------
|
upstream router
This would not only to easily create any number of failover VPN
endpoints, but also allowing to easily implement load balancing.
Best regards,
Nico
--
Your Swiss, Open Source and IPv6 Virtual Machine. Now on www.datacenterlight.ch.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: Status of Bird<->wireguard integration
2019-08-17 13:55 Status of Bird<->wireguard integration Nico Schottelius
@ 2019-08-25 19:36 ` Justin Kilpatrick
0 siblings, 0 replies; 2+ messages in thread
From: Justin Kilpatrick @ 2019-08-25 19:36 UTC (permalink / raw)
To: wireguard
I run a Babel/Wireguard combo which is pretty similar to what your imagining. I have an implemented and (somewhat) working solution to do what you describe that's currently in production.
Wireguard in it's current form can not do fast fail-over in a practical way. This isn't really WireGuard's fault so mach as it is a consequence of the security model.
Imagine for a moment you have two WireGuard servers and a client. Exactly like your ASSCI example. The client determines that it's connection to server 1 is degraded or otherwise failed and starts directing packets to server 2.
Since the client has a valid handshake with server 1, it's sending packets symmetricly encrypted with a key server 2 does not have. All packets get discarded until the handshake expires a minute later and is renegotiated with server 2.
Obviously this makes the clients very unhappy.
I'm not familiar enough with the cryptography design of WireGuard to really comment on a good solution. Ideally the server could recognize this situation and do an immediate handshake without compromising security.
--
Justin Kilpatrick
justin@althea.net
On Sun, Aug 25, 2019, at 11:48 AM, Nico Schottelius wrote:
>
> Hello again,
>
> I was wondering what the status is of the integration of wireguard into
> bird and whether there is any help needed?
>
> I am wondering, because integrating wireguard into bird would easily
> allow to create wireguard server clusters that would announce only the
> connected clients via BGP:
>
> client
> | \ |
> | --------------- |
> server1 server2
> [wireguard+bird] [wireguard+bird]
> \ /
> BGP BGP
> -------- | -------
> |
> upstream router
>
> This would not only to easily create any number of failover VPN
> endpoints, but also allowing to easily implement load balancing.
>
> Best regards,
>
> Nico
>
> --
> Your Swiss, Open Source and IPv6 Virtual Machine. Now on www.datacenterlight.ch.
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-08-25 19:37 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-17 13:55 Status of Bird<->wireguard integration Nico Schottelius
2019-08-25 19:36 ` Justin Kilpatrick
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).