DMVPM appreciation

John Huttley john at
Sun Dec 4 06:57:04 CET 2016

Really good high level theory ...

> Don't forget we need two more things:
> * A --> C (over UDP)
> * C --> A (over UDP)

>Throw a few weird NAT/PAT and other ACLs in between and try again.

In one direction there is no need, because that's how we established the
tunnel. See below, we could make exposed endpoints a requirement.

>> First. A can talk to C just fine on the VPN. Thats all the
>> authentication required.
>Yes, but in the background A only talks to B over UDP... and B to C
>over UDP.

Sorry I don't get what you mean. Anyone /could/ talk to anyone,
firewalls permitting.

>I think there may be cases where such situation is possible and highly
>The logic being, try to talk directly (using the protocol described
>above), if it doesn't work, continue talking via B.
>Reminds me of STUN and friends.

Actually we can simplify it further. Just make it a requirement of
overlaying that you have a valid listener. Then no UDP magic. Overly
works or it doesn't.

>And an alternative will be centralized database/service advertising
>public keys and endpoints (think PGP keyserver).
>And then comes the WoT and then... Jason will shoot us for bringing
>the complexity he is so fond of avoiding (and I am supporting him) :-D

Agreed. I don't think Jason will be more than mildly interested and it
shouldn't be a part of Wireguard itself.

>Since this functionality can be implemented outside of Wireguard, as a
>simple script (I guess 5 lines of Bash, but will leave the challenge
>open), it is all a matter of convenience.
>Nothing can be gained by "building it in", may be except tiny >convenience.
>If you try to script it, then provide clean documentation/test cases,
>I am sure it can be included in


>Also consider the trust model you are changing, because security DOES
>matter :-)
>As an example, think buying on Amazon from 3rd party, vs. talking to
>them directly:
>(1st -> 2nd case may be possible, 2nd ->1st is highly improbable)

If you are on the VPN, you are by definition, trusted as much as anyone is.

"Improbable" is a policy decision. Overlaying might not even be of
benefit. If C is on bad, slow connection, an overlay to C isn't going to
help. Policy needs to figure that out.

>* 1st case is more secure, but more expensive
>* 1st provides a way to find your party, plus it provides some
>mediatior/trust relationship (at cost)
>* How often did you buy something via Amazon an then went directly to
>the seller to buy more?

This isn't the use case I'm considering. I'm not quite sure what you mean.

>It is all about balancing security/cost and convenience of setup a
>transaction, within some (implicit) trust/insurance model.

Definitely don't know what you mean.


More information about the WireGuard mailing list