Re: Multiple Endpoints

[Baptiste Jonglez <baptiste@bitsofnetworks.org>]

[-- Attachment #1: Type: text/plain, Size: 2258 bytes --]

Hi,

On Sat, Jan 07, 2017 at 03:43:10PM +0100, em12345 wrote:
> I'm wondering how to setup a WG client when having multiple DynDNS names
> for a single WG server using dynamic IP. Using multiple DynDNS services
> for the same host is a common pattern to work around unreliable DynDNS
> services.
> As far as I see, only a single endpoint can be given in the configuration.

I am also interested in multiple endpoints support, and I am preparing a
proposal that I will send soon.

However, in your case, it would not really help.  Actually, even using a
single DynDNS name would not work correctly, because DNS resolution is
done only once by `wg`, when you configure your interface.  Afterwards,
the wireguard kernel module uses the IP address that was provided by `wg`,
not the hostname.  This is similar to the behaviour of iptables, and the
reason is simple: it would be really cumbersome to perform DNS resolution
from kernelspace.

So, if a client is connected to the server and the server changes its IP
address, the client will keep trying to use the old IP address forever.
You would need to destroy the wireguard interface on the client and
recreate it, so that `wg` configures the kernel module with the new IP
address associated with the hostname.

On Sat, Jan 07, 2017 at 05:45:35PM +0100, em12345 wrote:
> On a server IP change:
> 
> - the client still sends UDP packages to old server IP, which is useless
> 
> - the server (from its new IP) can send UDP packages to the still
> remembered client IP (because of PersistentKeepalive). But my
> understanding is that stateful firewalls will block UDP packages from
> the new IP until the client has send an UDP to the new server IP.

For a stateful firewall, this will likely be the case.  However, it would
work with a full-cone NAT:

    https://en.wikipedia.org/wiki/Network_address_translation#Full-cone_NAT

That being said, I'm not an expert on NAT, so I don't know which kind of
NAT is the most widespread.

> So in such a scenario the roaming feature wouldn't help.

You're right, in your case, you would need to setup port forwarding on
your client, so that wireguard on your client device can be reached from
any IP address.

Baptiste

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]