WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Fast failover and handshake renegotiation for multihomed WireGuard servers
@ 2019-07-08 15:10 Justin Kilpatrick
  0 siblings, 0 replies; only message in thread
From: Justin Kilpatrick @ 2019-07-08 15:10 UTC (permalink / raw)
  To: wireguard

I'm running a small fleet of WireGuard servers and clients, the clients use the Babel routing protocol to detect the latency and packet loss to any of the servers and select the best one accordingly. 

The WireGuard servers are multihomed, they share a user list, keys, and an ip address. Babel will insert a route to the same destination ip but a different actual server whenever that server becomes the better option. 

Sadly I've had to keep this feature out of production because switching between two servers involves around a minute of zero connectivity and that's simply too disruptive to expose to customers. The client continues to send packets using the handshake data from the previous server, the new server dutifully discards them as incorrect packets and everyone involved waits around for the old handshake to time out and a new one to be renegotiated. 
 
Is there any way to trigger a handshake renegotiation quickly that is also secure? Ideally I would like users to be able to roam between servers without any detectable change, much as they can roam between routes inside of a babel network. 

-- 
  Justin Kilpatrick
  justin@althea.net
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-08 15:10 Fast failover and handshake renegotiation for multihomed WireGuard servers Justin Kilpatrick

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox