Jason,

Awesome! That’s exactly what I needed :) I’ll try it out and post a follow up 
if I have any issues.

Cheers,
Ferris

> On Dec 2, 2017, at 8:31 AM, Jason A. Donenfeld <[email protected]> wrote:
> 
> Hi Ferris,
> 
> Firstly, WireGuard already has forward secrecy, which means every new
> session (negotiated every 2 minutes) has fresh keys that are
> forgotten, so old recorded traffic cannot be compromised.
> 
> It sounds like, however, you want to rotate the long term static
> "identity" keys. This is possible to do gracefully. If you change the
> private key of an interface, it won't actually be used until the next
> handshake occurs, which means you can rollover gracefully. Likewise
> you can add new peers (via public keys) dynamically at runtime. Moving
> a distinct allowed IP from one peer to another is an atomic operation
> as well.
> 
> Hope this helps!
> 
> Regards,
> Jason
_______________________________________________
WireGuard mailing list
[email protected]
https://lists.zx2c4.com/mailman/listinfo/wireguard

Reply via email to