Hello,
I was asking about server ip in the live wg config
on the client, as seen in
# wg show
in order to verify the problem is indeed a stale ip.
On Wed, Aug 28, 2019 at 06:25:15AM +0000, Hendrik Friedel wrote:
> that seems not to be the intended behaviour:
> If I understand correctly, the current behaviour is:
>
> At tunnel start the IP is resolved
> This IP is used for ever, namingly for re-connects.
This is only partly correct. The remote endpoint can unconditionally
roam and is updated by any valid packet from a given IP (if I remember
correctly).
> The probably intended behaviour would be:
> At tunnel start and at any re-connect the IP is resolved.
>
> Do you agree that this behaviour should be changed?
> Apart from that: Can you suggest an automatable workaround?
In some circumstances a similar behavior would be a desired.
Wireguard design and implementation is layered (which seems good).
The secure* tunnel, including the kernel module and wg tool seem
to be in a reasonable state, but automation, DNS, key exchange are
out of scope for them. It is meant to be provided by tooling, which is
currently very raw.
As a workaround you could
- unconditionally periodically update the endpoint
- monitor last handshake time, when large update endpoint or restart
tunnel
- add keepalive to server - it might reduce your downtime
Regards,
Ivan Labáth
_______________________________________________
WireGuard mailing list
[email protected]
https://lists.zx2c4.com/mailman/listinfo/wireguard
