Keep-alive does not keep the connection alive
labawi-wg at matrix-dream.net
Wed Aug 28 08:54:11 CEST 2019
I was asking about server ip in the live wg config
on the client, as seen in
# wg show
in order to verify the problem is indeed a stale ip.
On Wed, Aug 28, 2019 at 06:25:15AM +0000, Hendrik Friedel wrote:
> that seems not to be the intended behaviour:
> If I understand correctly, the current behaviour is:
> At tunnel start the IP is resolved
> This IP is used for ever, namingly for re-connects.
This is only partly correct. The remote endpoint can unconditionally
roam and is updated by any valid packet from a given IP (if I remember
> The probably intended behaviour would be:
> At tunnel start and at any re-connect the IP is resolved.
> Do you agree that this behaviour should be changed?
> Apart from that: Can you suggest an automatable workaround?
In some circumstances a similar behavior would be a desired.
Wireguard design and implementation is layered (which seems good).
The secure* tunnel, including the kernel module and wg tool seem
to be in a reasonable state, but automation, DNS, key exchange are
out of scope for them. It is meant to be provided by tooling, which is
currently very raw.
As a workaround you could
- unconditionally periodically update the endpoint
- monitor last handshake time, when large update endpoint or restart
- add keepalive to server - it might reduce your downtime
More information about the WireGuard