Re: Dynamic gif Tunnel
On Sun, Jun 05, 2022 at 10:51:49AM -, Stuart Henderson wrote: > You will probably be happier with wg(4) though, for this scenario > with a static IP at one side you don't need to do anything special > to maintain the tunnel, it "just works".and automatically follows > changes of client IP. Except possibly set up some kind of slow ping or other keep-alive mechanism. Since wireguard is stateless, if the dynamic IP is behind some kind of NAT, the ISP might break inbound connectivity if there is no outbound traffic for a certain period, (typically 2 minutes or so). This only matters if you expect to receive inbound connections without making an outbound connection first, (for example, inbound SMTP), because any outbound traffic should bring up the link anyway. IPSEC is another possible alternative.
Re: Dynamic gif Tunnel
On 2022-06-05, open...@007sascha.de wrote: > Hi, > I would like to build a dynamic gif tunnel and search the "best" and secured > concept for that. > Szenario: HomeRouter with dynamic IP; OpenBSD as Gateway with static IP. > 6in4 gif tunnel. > On IP change at HomeRouter, i have to adjust the tunnel Endpoint on the > Gateway. > Concepts: > 1. To change pf, i can use authpf, but how can i change the tunnel parameter? > Second ssh session and doas? > > 2. Build a web-API to change tunnel and pf? How, httpd is in chroot. > > 3. use a external dyndns Service and work with a cronjob to check for changes > on DNS > > Any suggestions/recommendation? Any of those would work. If you want to use a web API you can either run the cgi/php/whatever script unchrooted, or write to a file under /var/www which is read by a daemon/cronjob. You will probably be happier with wg(4) though, for this scenario with a static IP at one side you don't need to do anything special to maintain the tunnel, it "just works".and automatically follows changes of client IP. (I use it to route a /27 from colo to home which can be used across whatever connectivity I have so it works over mobile/landline/radio link/whatever). -- Please keep replies on the mailing list.
