Status of Bird<->wireguard integration

Justin Kilpatrick justin at althea.net
Sun Aug 25 21:36:28 CEST 2019 

I run a Babel/Wireguard combo which is pretty similar to what your imagining. I have an implemented and (somewhat) working solution to do what you describe that's currently in production. 

Wireguard in it's current form can not do fast fail-over in a practical way. This isn't really WireGuard's fault so mach as it is a consequence of the security model.

Imagine for a moment you have two WireGuard servers and a client. Exactly like your ASSCI example. The client determines that it's connection to server 1 is degraded or otherwise failed and starts directing packets to server 2. 

Since the client has a valid handshake with server 1, it's sending packets symmetricly encrypted with a key server 2 does not have. All packets get discarded until the handshake expires a minute later and is renegotiated with server 2. 

Obviously this makes the clients very unhappy. 

I'm not familiar enough with the cryptography design of WireGuard to really comment on a good solution. Ideally the server could recognize this situation and do an immediate handshake without compromising security. 

-- 
  Justin Kilpatrick
  justin at althea.net

On Sun, Aug 25, 2019, at 11:48 AM, Nico Schottelius wrote:
> 
> Hello again,
> 
> I was wondering what the status is of the integration of wireguard into
> bird and whether there is any help needed?
> 
> I am wondering, because integrating wireguard into bird would easily
> allow to create wireguard server clusters that would announce only the
> connected clients via BGP:
> 
> client
>   | \               |
>   | --------------- |
> server1              server2
> [wireguard+bird]     [wireguard+bird]
>   \                   /
>   BGP               BGP
>    -------- | -------
>             |
>      upstream router
> 
> This would not only to easily create any number of failover VPN
> endpoints, but also allowing to easily implement load balancing.
> 
> Best regards,
> 
> Nico
> 
> --
> Your Swiss, Open Source and IPv6 Virtual Machine. Now on www.datacenterlight.ch.
> _______________________________________________
> WireGuard mailing list
> WireGuard at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>

More information about the WireGuard mailing list