WireGuard roaming behind a load balancer

Ivan Labáth labawi-wg at matrix-dream.net
Thu Jan 17 01:21:00 CET 2019


Wireguard isn't completely stateless. It has connections and state,
even though it is comparably small and transient.

Wireguard roaming supports changing IPs. An authenticated
packet updates the ip and all works well. Changing hosts requires
a rekey (to re-establish transient keys), and that won't be
automatically triggered by unauthenticated gibberish, so plain
switching won't work immediately.

If you don't mind a relatively short outage when switching,
it should work fine.

In your setup, where H,A,B are wg nodes, and
  (H)A - B
is switched to
  (A)H - B

B->HA traffic will be lost (considered junk) until either

 - B's timer expires and a B->H rekey is issued (maybe 10s of seconds?)
 - H->B traffic and/or timer initiates a H->B rekey

If HA can initate traffic to B, you may be able to rig a rekey soon,
with a <1s outage, or even lossless in some circumstances, but you are
going against the design of a host-to-host "stateless" vpn.

Real hot-standby HA VPNs with transparent lossless switching
on the HA side usually share their ephemeral keys.


More information about the WireGuard mailing list