* roaming and ddns dynamic ip @ 2017-11-22 10:53 d tbsky 2017-11-22 11:59 ` Jason A. Donenfeld 0 siblings, 1 reply; 8+ messages in thread From: d tbsky @ 2017-11-22 10:53 UTC (permalink / raw) To: WireGuard mailing list Hi: I tried some setup for wireguard and found it may cause problem. assume server has dynamic ip and has a static dns name "ddns-server.example.com". client.conf like below: [Interface] PrivateKey = **** ListenPort = 51820 [Peer] PublicKey = **** Endpoint = ddns-server.example.com:51820 AllowedIPs = 0.0.0.0/0 if I use "wg setconf wg0 client.conf", then use "wg showconf wg0", result below: [Interface] ListenPort = 51820 PrivateKey = **** [Peer] PublicKey = **** AllowedIPs = 0.0.0.0/0 Endpoint = 1.1.1.1:51820 the "ddns-server.example.com" has translate to ip "1.1.1.1". if later "ddns-server.example.com" change ip to "2.2.2.2", I wonder if wireguard will try to resolve "ddns-server.example.com" again? will wireguard try to resolve "ddns-server.example.com" again when connection is broken? thanks a lot for help!! Regards, tbskyd ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: roaming and ddns dynamic ip 2017-11-22 10:53 roaming and ddns dynamic ip d tbsky @ 2017-11-22 11:59 ` Jason A. Donenfeld 2017-11-22 12:51 ` d tbsky 0 siblings, 1 reply; 8+ messages in thread From: Jason A. Donenfeld @ 2017-11-22 11:59 UTC (permalink / raw) To: d tbsky; +Cc: WireGuard mailing list Hello, This is not a bug. DNS resolution is not done by the WireGuard module, but rather by the configuration tool. If you want to update an IP, you'll need to devise a mechanism for this. One popular one is this example script: https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns , but many other possibilities exist too. Jason ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: roaming and ddns dynamic ip 2017-11-22 11:59 ` Jason A. Donenfeld @ 2017-11-22 12:51 ` d tbsky 2017-11-22 13:14 ` Jason A. Donenfeld 2017-11-22 15:49 ` Lonnie Abelbeck 0 siblings, 2 replies; 8+ messages in thread From: d tbsky @ 2017-11-22 12:51 UTC (permalink / raw) To: Jason A. Donenfeld; +Cc: WireGuard mailing list 2017-11-22 19:59 GMT+08:00 Jason A. Donenfeld <Jason@zx2c4.com>: > Hello, > > This is not a bug. DNS resolution is not done by the WireGuard module, > but rather by the configuration tool. If you want to update an IP, > you'll need to devise a mechanism for this. One popular one is this > example script: > https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns , > but many other possibilities exist too. > > Jason I don't think it's a bug. as you said, that's by design.although it means I need other tool to co-maintain the vpn connection. if wireguard can be configured to disable roaming and always use the static dns name as endpoint, maybe the problem can be solved automatically. like openvpn can restart itself and resolve dns name again when connection is broken. but anyway I can live with the current situation. just need to figure it out. thanks a lot for your clarification! Regards, tbskyd ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: roaming and ddns dynamic ip 2017-11-22 12:51 ` d tbsky @ 2017-11-22 13:14 ` Jason A. Donenfeld 2017-11-22 15:49 ` Lonnie Abelbeck 1 sibling, 0 replies; 8+ messages in thread From: Jason A. Donenfeld @ 2017-11-22 13:14 UTC (permalink / raw) To: d tbsky; +Cc: WireGuard mailing list On Wed, Nov 22, 2017 at 1:51 PM, d tbsky <tbskyd@gmail.com> wrote: > I don't think it's a bug. as you said, that's by design.although it > means I need other tool to co-maintain the vpn connection. WireGuard is by design a building block. wg-quick is one possible tool made out of the building block. The script I linked in the last email is another. You might need to make another tool out of the building block, which you could then open source. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: roaming and ddns dynamic ip 2017-11-22 12:51 ` d tbsky 2017-11-22 13:14 ` Jason A. Donenfeld @ 2017-11-22 15:49 ` Lonnie Abelbeck 2017-11-22 16:00 ` d tbsky 1 sibling, 1 reply; 8+ messages in thread From: Lonnie Abelbeck @ 2017-11-22 15:49 UTC (permalink / raw) To: WireGuard mailing list On Nov 22, 2017, at 6:51 AM, d tbsky <tbskyd@gmail.com> wrote: > 2017-11-22 19:59 GMT+08:00 Jason A. Donenfeld <Jason@zx2c4.com>: >> Hello, >>=20 >> This is not a bug. DNS resolution is not done by the WireGuard = module, >> but rather by the configuration tool. If you want to update an IP, >> you'll need to devise a mechanism for this. One popular one is this >> example script: >> https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns , >> but many other possibilities exist too. >>=20 >> Jason >=20 > I don't think it's a bug. as you said, that's by design.although it > means I need other tool to co-maintain the vpn connection. Jason, question, if each endpoint had PersistentKeepalive enabled, does = that update the endpoint addresses via your roaming code ? Or does = actual tunnel data traffic need to occur to update roaming endpoints ? If PersistentKeepalive updates roaming endpoints, then it would seem to = be a very rare situation when both endpoints had an address change = within the PersistentKeepalive window. Lonnie =20 ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: roaming and ddns dynamic ip 2017-11-22 15:49 ` Lonnie Abelbeck @ 2017-11-22 16:00 ` d tbsky 2017-11-22 16:39 ` Matthias Urlichs 2017-11-22 17:28 ` Bruno Wolff III 0 siblings, 2 replies; 8+ messages in thread From: d tbsky @ 2017-11-22 16:00 UTC (permalink / raw) To: Lonnie Abelbeck; +Cc: WireGuard mailing list 2017-11-22 23:49 GMT+08:00 Lonnie Abelbeck <lists@lonnie.abelbeck.com>: > > On Nov 22, 2017, at 6:51 AM, d tbsky <tbskyd@gmail.com> wrote: > >> 2017-11-22 19:59 GMT+08:00 Jason A. Donenfeld <Jason@zx2c4.com>: >>> Hello, >>> >>> This is not a bug. DNS resolution is not done by the WireGuard module, >>> but rather by the configuration tool. If you want to update an IP, >>> you'll need to devise a mechanism for this. One popular one is this >>> example script: >>> https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns , >>> but many other possibilities exist too. >>> >>> Jason >> >> I don't think it's a bug. as you said, that's by design.although it >> means I need other tool to co-maintain the vpn connection. > > Jason, question, if each endpoint had PersistentKeepalive enabled, does that update the endpoint addresses via your roaming code ? Or does actual tunnel data traffic need to occur to update roaming endpoints ? > > If PersistentKeepalive updates roaming endpoints, then it would seem to be a very rare situation when both endpoints had an address change within the PersistentKeepalive window. > > Lonnie when client is behind firewall via nat to internet, and server has dynamic ip, I don't think keepalive will help. since the changed server can not connect to client, it needs client to initial the connection. under openvpn, keepalive can detect broken link and try to restart itself, then client can reconnect to server automatically. but if both site has public ip, maybe wireguard keepalive can do the work? Regards, tbskyd ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: roaming and ddns dynamic ip 2017-11-22 16:00 ` d tbsky @ 2017-11-22 16:39 ` Matthias Urlichs 2017-11-22 17:28 ` Bruno Wolff III 1 sibling, 0 replies; 8+ messages in thread From: Matthias Urlichs @ 2017-11-22 16:39 UTC (permalink / raw) To: wireguard On 22.11.2017 17:00, d tbsky wrote: > when client is behind firewall via nat to internet, and server has > dynamic ip, I don't think keepalive will help. since the changed > server can not connect to client, it needs client to initial the > connection. under openvpn, keepalive can detect broken link and try to > restart itself, then client can reconnect to server automatically. That situation calls for userspace (on the client) to monitor the connection and update the peer address, if it changed. The kernel side's job would be to be sufficiently monitor-able via netlink – polling is evil – so that a userspace tool can actually do this. -- -- Matthias Urlichs ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: roaming and ddns dynamic ip 2017-11-22 16:00 ` d tbsky 2017-11-22 16:39 ` Matthias Urlichs @ 2017-11-22 17:28 ` Bruno Wolff III 1 sibling, 0 replies; 8+ messages in thread From: Bruno Wolff III @ 2017-11-22 17:28 UTC (permalink / raw) To: d tbsky; +Cc: WireGuard mailing list On Thu, Nov 23, 2017 at 00:00:51 +0800, d tbsky <tbskyd@gmail.com> wrote: > >when client is behind firewall via nat to internet, and server has >dynamic ip, I don't think keepalive will help. since the changed >server can not connect to client, it needs client to initial the >connection. under openvpn, keepalive can detect broken link and try to >restart itself, then client can reconnect to server automatically. If both sides are using keep alives it could help. It won't work if both sides change IP addresses between keep alives. And if the client is turned off when the server changes IP addresses that is going to apply. ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-11-22 17:25 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-11-22 10:53 roaming and ddns dynamic ip d tbsky 2017-11-22 11:59 ` Jason A. Donenfeld 2017-11-22 12:51 ` d tbsky 2017-11-22 13:14 ` Jason A. Donenfeld 2017-11-22 15:49 ` Lonnie Abelbeck 2017-11-22 16:00 ` d tbsky 2017-11-22 16:39 ` Matthias Urlichs 2017-11-22 17:28 ` Bruno Wolff III
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).