I run a Babel/Wireguard combo which is pretty similar to what your imagining. I have an implemented and (somewhat) working solution to do what you describe that's currently in production.
Wireguard in it's current form can not do fast fail-over in a practical way. This isn't really WireGuard's fault so mach as it is a consequence of the security model. Imagine for a moment you have two WireGuard servers and a client. Exactly like your ASSCI example. The client determines that it's connection to server 1 is degraded or otherwise failed and starts directing packets to server 2. Since the client has a valid handshake with server 1, it's sending packets symmetricly encrypted with a key server 2 does not have. All packets get discarded until the handshake expires a minute later and is renegotiated with server 2. Obviously this makes the clients very unhappy. I'm not familiar enough with the cryptography design of WireGuard to really comment on a good solution. Ideally the server could recognize this situation and do an immediate handshake without compromising security. -- Justin Kilpatrick [email protected] On Sun, Aug 25, 2019, at 11:48 AM, Nico Schottelius wrote: > > Hello again, > > I was wondering what the status is of the integration of wireguard into > bird and whether there is any help needed? > > I am wondering, because integrating wireguard into bird would easily > allow to create wireguard server clusters that would announce only the > connected clients via BGP: > > client > | \ | > | --------------- | > server1 server2 > [wireguard+bird] [wireguard+bird] > \ / > BGP BGP > -------- | ------- > | > upstream router > > This would not only to easily create any number of failover VPN > endpoints, but also allowing to easily implement load balancing. > > Best regards, > > Nico > > -- > Your Swiss, Open Source and IPv6 Virtual Machine. Now on > www.datacenterlight.ch. > _______________________________________________ > WireGuard mailing list > [email protected] > https://lists.zx2c4.com/mailman/listinfo/wireguard > _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
