Built-in Roaming is limited due to a design fault adding STUN and TURN support would be good and make wire-guard connections more durable.

Jason A. Donenfeld Jason at zx2c4.com
Mon Jan 2 15:18:24 CET 2017

Hi Peter,

That's a pretty bombastic and rambling way to put a simple point. I
believe you're conflating two different things. Let's break it down:

1. Dynamic IPs.
2. Both peers behind NAT.

With regard to dynamic IPs, the solution is to use a dynamic DNS
service, and simply use the DNS name as the endpoint. When you set up
the device after being disconnected, userspace will do the DNS lookup
to determine a current IP. When you're already connected to that IP,
WireGuard's roaming capabilities will automatically keep track of IP

With regard to NAT, this is where you want your STUN-like solution.
However, this does _not_ belong inside of WireGuard. This is where you
simply need some basic userspace utility to handle punching holes in
NAT/firewall, and then bringing up the WireGuard interface with the
discovered address/port. It's not that complicated. In fact, there was
already a substantial discussion about this on the list (did you check
the archives?), and I wound up writing a simple PoC utility for it:
It works well, though it of course needs work before it's
production-ready. Perhaps you could rewrite it to use your glib-based
libnice? Send an email here when you've got a github repo for
something like this, as I'm sure a few others on the list might
benefit from it too.


More information about the WireGuard mailing list