WireGuard roaming behind a load balancer

Samuel Holland samuel at sholland.org
Thu Jan 17 01:40:05 CET 2019

On 01/16/19 18:21, Ivan Labáth wrote:
> In your setup, where H,A,B are wg nodes, and
>   (H)A - B
> is switched to
>   (A)H - B

I assume here A and H are the active/hot-spare pair, and B is the remote node.

> B->HA traffic will be lost (considered junk) until either
>  - B's timer expires and a B->H rekey is issued (maybe 10s of seconds?)

To be precise, this timer is 120 seconds from the last successful handshake.

>  - H->B traffic and/or timer initiates a H->B rekey
> If HA can initate traffic to B, you may be able to rig a rekey soon,
> with a <1s outage, or even lossless in some circumstances, but you are
> going against the design of a host-to-host "stateless" vpn.

H can immediately send handshakes to all peers when it is brought up (and will
do so today if they have persistent keepalives set). But you need more than HA
being able to initiate traffic to B. B could have roamed to a new IP while it
was communicating with A. Then A would know about the new IP (because it
received an authenticated packet from there), but H would not.

So you need some way to stream endpoint updates between A and H. I'm not sure if
WireGuard's netlink has a way to push endpoint changes (that would be nice), but
you could at least poll netlink on the active host, and push netlink on the standby.

You could also extend the netlink interface with a way for userspace to request
a handshake on all peers. Then you could leave the interface up, and wouldn't
need any persistent keepalives.

> Real hot-standby HA VPNs with transparent lossless switching
> on the HA side usually share their ephemeral keys.

Sharing ephemeral keys would avoid the need for a new handshake at failover, but
that is very little benefit, since handshakes happen every couple of minutes
anyway. More importantly, sharing keys comes with the security risk of sending
your most sensitive data over the network. Anyone with those keys can decrypt
VPN traffic in real time.

Plus you *still* need the updated endpoint information to send packets from H to
B before B sends anything to AH, even if the session key is still valid. So I
highly recommend against attempting to extract the ephemeral keys from the kernel.

> Regards,
> Ivan


More information about the WireGuard mailing list