Jason, Awesome! That’s exactly what I needed :) I’ll try it out and post a follow up if I have any issues.
Cheers, Ferris > On Dec 2, 2017, at 8:31 AM, Jason A. Donenfeld <[email protected]> wrote: > > Hi Ferris, > > Firstly, WireGuard already has forward secrecy, which means every new > session (negotiated every 2 minutes) has fresh keys that are > forgotten, so old recorded traffic cannot be compromised. > > It sounds like, however, you want to rotate the long term static > "identity" keys. This is possible to do gracefully. If you change the > private key of an interface, it won't actually be used until the next > handshake occurs, which means you can rollover gracefully. Likewise > you can add new peers (via public keys) dynamically at runtime. Moving > a distinct allowed IP from one peer to another is an atomic operation > as well. > > Hope this helps! > > Regards, > Jason _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
