Development discussion of WireGuard
 help / color / mirror / Atom feed
From: "Justin Kilpatrick" <justin@althea.net>
To: wireguard@lists.zx2c4.com
Subject: Fast failover and handshake renegotiation for multihomed WireGuard servers
Date: Mon, 08 Jul 2019 11:10:29 -0400	[thread overview]
Message-ID: <ce091f70-099f-4c15-a791-624ddb41a8d5@www.fastmail.com> (raw)

I'm running a small fleet of WireGuard servers and clients, the clients use the Babel routing protocol to detect the latency and packet loss to any of the servers and select the best one accordingly. 

The WireGuard servers are multihomed, they share a user list, keys, and an ip address. Babel will insert a route to the same destination ip but a different actual server whenever that server becomes the better option. 

Sadly I've had to keep this feature out of production because switching between two servers involves around a minute of zero connectivity and that's simply too disruptive to expose to customers. The client continues to send packets using the handshake data from the previous server, the new server dutifully discards them as incorrect packets and everyone involved waits around for the old handshake to time out and a new one to be renegotiated. 
 
Is there any way to trigger a handshake renegotiation quickly that is also secure? Ideally I would like users to be able to roam between servers without any detectable change, much as they can roam between routes inside of a babel network. 

-- 
  Justin Kilpatrick
  justin@althea.net
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

                 reply	other threads:[~2019-07-17 20:44 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ce091f70-099f-4c15-a791-624ddb41a8d5@www.fastmail.com \
    --to=justin@althea.net \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).