[WireGuard] NAT-T Keepalives

Jason A. Donenfeld Jason at zx2c4.com
Thu Jul 7 19:15:16 CEST 2016

On Jul 7, 2016 6:58 PM, "Baptiste Jonglez" <baptiste at bitsofnetworks.org>
> Why not simply use the same technique as the opportunic keepalives, then?
> (encrypted payload)

Because when persistent-keepalive-interval > keylifetime (2 minutes), this
results in a new handshake, causing 3 packets instead of 1.

Also, why waste crypto cycles when you don't have to? If we're just trying
to appease firewalls and NATs, then let's leave the problem at that level,
not let it infect other layers.

> One small advantage over the "empty UDP packet" method is that it will
> also refresh the "latest handshake" timer shown in wg (or whatever GUI
> people will build on top of wireguard).  From a user perspective, it's
> nice to know that the VPN is still alive.

No way josé. (In fact I wouldn't mind removing the beloved latest handshake
field.) From the perspective of the sysadmin, wireguard must appear
stateless. Fundamental design goal.

> [0 len could be bad]
> 30 seconds?

I have the same set of speculations and concerns, but it's mostly just
imaginary without real data, as you said. Maybe I'll write into NANOG?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20160707/c2b4e40a/attachment.html>

More information about the WireGuard mailing list