Roaming Mischief

Kalin KOZHUHAROV me.kalin at
Tue Nov 14 14:50:14 CET 2017

On Tue, Nov 14, 2017 at 2:25 PM, Bruno Wolff III <bruno at> wrote:
> On Tue, Nov 14, 2017 at 10:59:03 +0100,
>  "Jason A. Donenfeld" <Jason at> wrote:
>> (!), that would prevent
>> servers from roaming; the client would still roam in the eyes of the
>> server, but the server, would no longer roam in the eyes of the
>> client. In other words, an option -- gasp, a nob! -- to disable
>> roaming on a per-by-peer one-sided basis. As you know, I don't really
>> like nobs. And I'd hate to add this, and then for people to use it,
>> and then loose some nice aspects of roaming, if it's not really even
>> required.
> If you know your other end point is at a fixed address you can use iptables
> (or the equivalent) to enforce this. I don't think it needs to be in
> WireGuard.
True, I can and will. But I like to configure all layers and multiple
times, then set "traps" (log exceptions/notify) at all levels, except
the outermost.
If _any_ of those fire, I know I have a problem and someone
sidestepped at least the outermost "firewall".

Also, it is real fun to make something actually work (i.e. connect),
you need to understand exactly what goes on, spend countless hours
drinking coffee while poking at packet traces, etc.
And even MORE fun when something DOES break and you need to fix it
ASAP in the night.

DISCLAIMER: I don't expect any one to agree with what I think or do.
And I do occasionally take advice and "improve" things. And I always
quote my $VARs.


More information about the WireGuard mailing list