* Fast failover and handshake renegotiation for multihomed WireGuard servers
@ 2019-07-08 15:10 Justin Kilpatrick
0 siblings, 0 replies; only message in thread
From: Justin Kilpatrick @ 2019-07-08 15:10 UTC (permalink / raw)
I'm running a small fleet of WireGuard servers and clients, the clients use the Babel routing protocol to detect the latency and packet loss to any of the servers and select the best one accordingly.
The WireGuard servers are multihomed, they share a user list, keys, and an ip address. Babel will insert a route to the same destination ip but a different actual server whenever that server becomes the better option.
Sadly I've had to keep this feature out of production because switching between two servers involves around a minute of zero connectivity and that's simply too disruptive to expose to customers. The client continues to send packets using the handshake data from the previous server, the new server dutifully discards them as incorrect packets and everyone involved waits around for the old handshake to time out and a new one to be renegotiated.
Is there any way to trigger a handshake renegotiation quickly that is also secure? Ideally I would like users to be able to roam between servers without any detectable change, much as they can roam between routes inside of a babel network.
WireGuard mailing list
^ permalink raw reply [flat|nested] only message in thread
only message in thread, back to index
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-08 15:10 Fast failover and handshake renegotiation for multihomed WireGuard servers Justin Kilpatrick
WireGuard Archive on lore.kernel.org
Archives are clonable:
git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
Newsgroup available over NNTP:
AGPL code for this site: git clone https://public-inbox.org/ public-inbox