Multiple Endpoints

Baptiste Jonglez baptiste at
Sun Jan 8 23:57:32 CET 2017

Hi Jason,

On Sun, Jan 08, 2017 at 11:18:01PM +0100, Jason A. Donenfeld wrote:
> > So, if a client is connected to the server and the server changes its IP
> > address, the client will keep trying to use the old IP address forever.
> No. If the server sends a packet to the client using the same UDP
> src/dst, then it will make it to the client, and the client will learn
> the new server IP.
> > You would need to destroy the wireguard interface on the client and
> > recreate it, so that `wg` configures the kernel module with the new IP
> > address associated with the hostname.
> No. And even in the worst possible case, no destruction of the wg
> interface would be necessary. wg(8) can reconfigure all attributes on
> the fly.
> > You're right, in your case, you would need to setup port forwarding on
> > your client, so that wireguard on your client device can be reached from
> > any IP address.
> No. In the vast majority of cases I've seen, both stateful firewalls
> and NAT do not do the mapping based on the remote IP.

Please read Emmanuel's email more carefuly before being so assertive.
His use-case was a client behind a stateful firewall, so if the server
changes its IP address, roaming will not work.

I merely pointed out that a stateful firewall is similar to a symmetric
NAT, that is, both would cause issue with peer roaming.  But a full-cone
NAT would be fine, as you also mentioned.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the WireGuard mailing list