On 19.02.19 16:45, Vincent Wiemann wrote:
> A kernel VPN module should not depend
> on a user space daemon for doing regular checks or a daemon running at
> all.

It doesn't. You only need userspace when the external IP address changes
*and* the other side either doesn't initiate a link to us, or can no
longer reach us due to firewall or NAT issues. This is already orders of
magnitude better than OpenVPN.

DNS is a complex protocol that's nontrivial to implement securely,
DNSSEC even more so. You do not want that in the kernel. I'd wager a
large chunk of money that neither does Linus Torvalds.

>     One could build up on
>     https://www.kernel.org/doc/Documentation/networking/dns_resolver.txt ,
>     but it's a lot of work and shouldn't be a goal before WireGuard becomes
>     an upstream kernel module.

    I'm pretty sure that's the way to go long-term.

Umm … you might want to read that. It specifies upcalling to userspace.
How is that better than running a WG daemon?

We'd also lose flexibility. I might want to teach that WG daemon to get
the new address from somewhere else, like a secure connection to a VPN
server (given that DNS timeouts might be too long), or to use that
netlink callback to trigger an alert or to activate a fallback connection.

-- 
-- Matthias Urlichs