[WireGuard] NAT-T Keepalives

Bruno Wolff III bruno at wolff.to
Thu Jul 7 19:57:22 CEST 2016

On Thu, Jul 07, 2016 at 18:33:11 +0200,
  "Jason A. Donenfeld" <Jason at zx2c4.com> wrote:
>The most bootleg solution for this is to just run "ping $server" from
>userspace. What a disgusting fix.

This also forces encrypted traffic, which your solution would avoid.

>1. What should the payload be? Should it be a single fixed byte? Or
>should it be a zero length UDP packet?

The packet doesn't even need to make it to the endpoint, just through 
the NAT or firewall. So you don't want something that would get blocked 
by those. I don't know of anything that would be likely to. Otherwise 
you probably want minimum resources expended by the end points producing 
and receiving the packet.

>5. Is there a good resource for real world NAT mapping timings found
>in the wild?

Our NAT defaults to one minute for random UDP ports. So 30 seconds seems 
like a reasonable time if there isn't much packet loss.

>What are your thoughts?

It sounds like a nice improvement.

More information about the WireGuard mailing list