[lug] Security - Wireguard
Zan Lynx
zlynx at acm.org
Sat Jun 29 13:06:07 MDT 2019
On 6/29/2019 11:56 AM, Bucky Carr wrote:
> Testing... I established a new VPN connection and ssh'd into the box.
> Then left the ssh connection idle for 5 minutes and it was still alive
> thereafter. One thing that Wireguard does in the background is
> renegotiate a new, ephemeral, symmetric key: server <-> client :about
> every 2 minutes.
>
> Could that be obviating the need for a keepalive packet?
The default Linux conntrack timeout for UDP is 30 seconds. So I don't
think so.
With UDP there's no connection so NAT routers need to have a timeout or
they'd just fill up with UDP tracking entries. They have to time out TCP
also but they can use a longer timeout since most TCP connections mark
themselves closed one way or another.
I went and read some stuff about Wireguard and searched around. As best
I can tell it defaults to 10 second heartbeat packets. So are you *sure*
it's idle in the background? Because you'd have needed to set something
for that.
--
Knowledge is Power -- Power Corrupts
Study Hard -- Be Evil
More information about the LUG
mailing list