Using WG for transport security in a p2p network

Matthias Urlichs matthias at
Thu Apr 5 21:49:31 CEST 2018

On 05.04.2018 20:07, Ximin Luo wrote:
> In the typical WG use-case this is not an issue because the network
> admin controls both endpoints and can upgrade both simultaneously, but
> this wouldn't be the case for our p2p network.

Your p2p network would need to exchange v2 keys before upgrading. Thus,
as soon as you know that an endpoint supports v2 you also try to connect
to it that way. When the v2 connection succeeds, the other system knows
that you have its new key, thus it can disable v1 connections from you
(and vice versa).

You'll need to pre-define a private IPv6 address range (with enough
random bits in it that a collision with anybody's local address usage is
unlikely) for your wireguard network. To facilitate upgrades, you can
simply define two bits of that address range to be a rolling version
number and you're basically done: you just route each subnet to the
appropriate wireguard interface.

-- Matthias Urlichs

More information about the WireGuard mailing list