From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: em12345 <em12345@web.de>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Multiple Endpoints
Date: Sun, 8 Jan 2017 23:14:25 +0100 [thread overview]
Message-ID: <CAHmME9r9DcHrp-HS00qjGqddBGaAPvY_Xj1uGdeH6dWJAkmoyg@mail.gmail.com> (raw)
In-Reply-To: <89477ad4-b015-d0a1-1c05-ea6600b2f464@web.de>
On Sat, Jan 7, 2017 at 5:45 PM, em12345 <em12345@web.de> wrote:
> This would require PersistentKeepalive on "server" side. But assuming
> the common case that the client sits behind a stateful firewall, how
> would the server be able to inform the client about its IP change?
Yes, the server would need the PersistentKeepalive; you're right.
> - the server (from its new IP) can send UDP packages to the still
> remembered client IP (because of PersistentKeepalive). But my
> understanding is that stateful firewalls will block UDP packages from
> the new IP until the client has send an UDP to the new server IP.
No, usually not. In most cases, the NAT mapping depends on the
client's local IP and sport/dport, but not on the remote dst IP.
Otherwise common NAT holepunching schemes like STUN and the example
holepuncher [1] wouldn't work. The new UDP packets will make it to the
client, in fact.
[1] https://git.zx2c4.com/WireGuard/tree/contrib/examples/nat-hole-punching/README
prev parent reply other threads:[~2017-01-08 22:04 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-07 14:43 em12345
2017-01-07 15:23 ` Jason A. Donenfeld
2017-01-07 16:45 ` em12345
2017-01-08 14:12 ` Baptiste Jonglez
2017-01-08 14:39 ` Jörg Thalheim
2017-01-08 21:22 ` Baptiste Jonglez
2017-01-08 22:19 ` Jason A. Donenfeld
2017-01-08 22:18 ` Jason A. Donenfeld
2017-01-08 22:57 ` Baptiste Jonglez
2017-01-08 23:00 ` Jason A. Donenfeld
2017-01-09 11:35 ` Varying source address and stateful firewalls (Was: Multiple Endpoints) Baptiste Jonglez
2017-01-10 4:32 ` Jason A. Donenfeld
2017-01-15 10:01 ` Multiple Endpoints Jason A. Donenfeld
2017-01-08 22:14 ` Jason A. Donenfeld [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHmME9r9DcHrp-HS00qjGqddBGaAPvY_Xj1uGdeH6dWJAkmoyg@mail.gmail.com \
--to=jason@zx2c4.com \
--cc=em12345@web.de \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).