Multiple Endpoints

Jason A. Donenfeld Jason at
Sun Jan 8 23:14:25 CET 2017

On Sat, Jan 7, 2017 at 5:45 PM, em12345 <em12345 at> wrote:
> This would require PersistentKeepalive on "server" side. But assuming
> the common case that the client sits behind a stateful firewall, how
> would the server be able to inform the client about its IP change?

Yes, the server would need the PersistentKeepalive; you're right.

> - the server (from its new IP) can send UDP packages to the still
> remembered client IP (because of PersistentKeepalive). But my
> understanding is that stateful firewalls will block UDP packages from
> the new IP until the client has send an UDP to the new server IP.

No, usually not. In most cases, the NAT mapping depends on the
client's local IP and sport/dport, but not on the remote dst IP.
Otherwise common NAT holepunching schemes like STUN and the example
holepuncher [1] wouldn't work. The new UDP packets will make it to the
client, in fact.


More information about the WireGuard mailing list