Re: kern/58156: wg(4) roaming endpoint gets stuck on private addresses

[Kimmo Suominen <kim%netbsd.org@localhost>]

The following reply was made to PR kern/58156; it has been noted by GNATS.

From: Kimmo Suominen <kim%netbsd.org@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/58156: wg(4) roaming endpoint gets stuck on private
 addresses
Date: Tue, 16 Apr 2024 07:17:48 +0300

 On Tue, Apr 16, 2024 at 02:40:02AM +0000, campbell+netbsd%mumble.net@localhost wrote:
 > - Maybe never override an explicitly configured endpoint address.
 > - Maybe avoid changing a publicly routable endpoint address to a private endpoint address.
 > - Maybe check for prior art, which I haven't done yet.
 
 The configured endpoint address needs to be changed when both endpoints
 are using dynamic addresses.  I have such tunnels, and it is rare that
 they lose sight of one another.  A configured address is needed to
 initially bring up such a tunnel.
 
 I think the fix here would be some way to tell the VPN server to bind to
 a specific address, so that it won't send from other addresses.
 
 A workaround would be to run the VPN server on a single-homed system.
 This is how I terminate wg tunnels from roaming clients.
 
 I do also take advantage of the macOS client feature, where I can tell
 it to bring up the tunnel only when on WiFi except for specific SSIDs.
 This could also be used to work around the reported issue.
 
 Kind regards,
 + Kimmo