Varying source address and stateful firewalls (Was: Multiple Endpoints)

Jason A. Donenfeld Jason at
Tue Jan 10 05:32:15 CET 2017


Thanks for the nice analysis. At first I was incredulous about the
results, but then I sat down and drew some pictures, and figured out
where the disconnect is. With hole punching, you have each peer
discovering the remote endpoint tuple, and sending an outgoing packet,
which then adjusts the stateful firewall. With em's example, there
isn't this luxury. So, I'll circle back the original thread, and
backtrack on my assertions in order to get back on track. Thanks for
investigating and showing where I erred.


More information about the WireGuard mailing list