Hi Ferris, Firstly, WireGuard already has forward secrecy, which means every new session (negotiated every 2 minutes) has fresh keys that are forgotten, so old recorded traffic cannot be compromised.
It sounds like, however, you want to rotate the long term static "identity" keys. This is possible to do gracefully. If you change the private key of an interface, it won't actually be used until the next handshake occurs, which means you can rollover gracefully. Likewise you can add new peers (via public keys) dynamically at runtime. Moving a distinct allowed IP from one peer to another is an atomic operation as well. Hope this helps! Regards, Jason _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
