[WireGuard] [ANNOUNCE] Snapshot `experimental-0.0.20160708.1` Available

Jason A. Donenfeld Jason at zx2c4.com
Fri Jul 8 19:55:55 CEST 2016

Hi Bruno,

On Fri, Jul 8, 2016 at 6:23 PM, Bruno Wolff III <bruno at wolff.to> wrote:
> I tried this an noticed a problem. The keep alive packets don't set the
> reply IP address and port for the endpoint. (Which makes sense since they
> aren't authenticated.) So in the case of nat, where you won't know what the
> port is (and in some cases the IP address as well) you still can't connect
> to the end point behind the nat until there is some authenticated data sent
> from the end point.

UGH! You're right. Thanks for thinking about this properly, and good

> So if nat changes the port at some point, in order to reestablish a path,
> you need to send authenticated data. I am not thinking of an obvious way to
> tell when you just need to hold the port mapping via nat open versus when
> you need to send authenticated data to rebuild a connection after a port or
> IP address change from nat.

Well, after the initial authenticated data has been sent (say, at `ip
link set up` time), the persistent keepalives should keep the link
open, which would prevent NAT from changing the port. This _should_

But is it too fragile? Maybe we should scrap all of this and make
persistent keepalives authenticated. I'm not too thrilled about that

More information about the WireGuard mailing list