Development discussion of WireGuard
 help / color / mirror / Atom feed
From: Markus Woschank <markus.woschank@gmail.com>
To: Aaron Jones <aaronmdjones@gmail.com>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Roaming Mischief
Date: Fri, 17 Nov 2017 23:06:11 +0100	[thread overview]
Message-ID: <CAKUy5ax9kWWF_PPLQYy09-EVnH-CCfQDpYctn3X+Cpe+FNP_0Q@mail.gmail.com> (raw)
In-Reply-To: <630c9955-ae3a-bf10-02ae-e5aa7eee6e64@gmail.com>

> My example is most useful when both endpoints are roaming and either
> endpoint needs to be able to initiate sessions. It's not a very
> common scenario I'll give you that, but the current full roaming
> support does enable it seamlessly (when you also enable keep-alives).

Thank you for clarifying.

This really sound like an unusual situation, where you need to make
sure that while one peer is down the other doesn't move.
I wonder if this could not, should the need arise, be solved in another fashion.

>From experience I have another concern towards the current mechanism.
When configuring two peers pointing at each other and by mistake
setting one endpoint IP to a wrong value (typo in the IP) there is a
good chance this mistake may not be noticed for quiet some time, if
the correctly configured endpoint initiates the connection most of the
time. The user (me), believing to have correctly configured the link,
may be taken by surprise at a later point in time when the link is not
established, as he expects, when the wrongly configured side tries to
initiate it after say a reboot. This is more of a concern to me than
supporting to roaming  peers.

Also the thought of something like `wg showconf wg0 >
/etc/wireguard/wg0.conf` happening at shutdown frightens me a little.
Because if the command fails for whatever reason the configuration
will be truncated and after the reboot completes the link will be
non-functional (conf vs state).

Please don't interpret my comments the wrong way, I grew to love
wireguard. Just trying to state the kinks (IMO) I see, and this is one
of them.
I still vote for: if an endpoint is specified, don't allow the peer
from another source - no config syntax change needed ;).

Markus

  reply	other threads:[~2017-11-17 22:01 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-14  9:59 Jason A. Donenfeld
2017-11-14 10:30 ` Kalin KOZHUHAROV
2017-11-14 13:53   ` Lonnie Abelbeck
2017-11-14 14:08     ` Kalin KOZHUHAROV
2017-11-14 13:25 ` Bruno Wolff III
2017-11-14 13:50   ` Kalin KOZHUHAROV
2017-11-15 18:38 ` Markus Woschank
2017-11-15 22:03   ` Aaron Jones
2017-11-17 17:23     ` Markus Woschank
2017-11-17 17:36       ` Aaron Jones
2017-11-17 18:38         ` Markus Woschank
2017-11-17 18:46         ` Markus Woschank
2017-11-17 21:29           ` Aaron Jones
2017-11-17 22:06             ` Markus Woschank [this message]
2017-11-17 22:11               ` Markus Woschank
2017-11-18  9:38           ` Matthias Urlichs
2017-11-18 15:01     ` Markus Woschank
2017-11-18 15:11       ` Markus Woschank
2017-11-16 17:45 ` Stephen Major

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAKUy5ax9kWWF_PPLQYy09-EVnH-CCfQDpYctn3X+Cpe+FNP_0Q@mail.gmail.com \
    --to=markus.woschank@gmail.com \
    --cc=aaronmdjones@gmail.com \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).