Keep-alive does not keep the connection alive

Ivan Labáth labawi-wg at
Wed Aug 28 08:54:11 CEST 2019


I was asking about server ip in the live wg config
on the client, as seen in
# wg show
in order to verify the problem is indeed a stale ip.

On Wed, Aug 28, 2019 at 06:25:15AM +0000, Hendrik Friedel wrote:
> that seems not to be the intended behaviour:
> If I understand correctly, the current behaviour is:
> At tunnel start the IP is resolved
> This IP is used for ever, namingly for re-connects.
This is only partly correct. The remote endpoint can unconditionally
roam and is updated by any valid packet from a given IP (if I remember

> The probably intended behaviour would be:
> At tunnel start and at any re-connect the IP is resolved.
> Do you agree that this behaviour should be changed?
> Apart from that: Can you suggest an automatable workaround?

In some circumstances a similar behavior would be a desired.

Wireguard design and implementation is layered (which seems good).
The secure* tunnel, including the kernel module and wg tool seem
to be in a reasonable state, but automation, DNS, key exchange are
out of scope for them. It is meant to be provided by tooling, which is
currently very raw.

As a workaround you could
  - unconditionally periodically update the endpoint
  - monitor last handshake time, when large update endpoint or restart
  - add keepalive to server - it might reduce your downtime

Ivan Labáth

More information about the WireGuard mailing list