A kernel VPN module should not depend on a user space daemon for doing regular checks or a daemon running at all.
It doesn't. You only need userspace when the external IP address
changes *and* the other side either doesn't initiate a link to us,
or can no longer reach us due to firewall or NAT issues. This is
already orders of magnitude better than OpenVPN.
DNS is a complex protocol that's nontrivial to implement
securely, DNSSEC even more so. You do not want that in the kernel.
I'd wager a large chunk of money that neither does Linus Torvalds.
One could build up on https://www.kernel.org/doc/Documentation/networking/dns_resolver.txt , but it's a lot of work and shouldn't be a goal before WireGuard becomes an upstream kernel module.I'm pretty sure that's the way to go long-term.
Umm … you might want to read that. It specifies upcalling to userspace. How is that better than running a WG daemon?
We'd also lose flexibility. I might want to teach that WG daemon
to get the new address from somewhere else, like a secure
connection to a VPN server (given that DNS timeouts might be too
long), or to use that netlink callback to trigger an alert or to
activate a fallback connection.
-- -- Matthias Urlichs