Hey Ximin, Nice to see that you're thinking through these issues in a concrete setting.
For a while I had some notions about allowing WireGuard to pop up initiaton messages from unauthenticated peers to userspace for userspace to then validate in one way or another asynchornously, followed by userspace adding that peer's key to the list of peers (or not), and initiating the handshake back the other way reusing the initial UDP port. This wouldn't add that much complexity and I think it'd be fairly reliable. However, I've held off on implementing it because I'm skepical that people would actually use it in a way that makes sense. For example, in your case, you already have some other aspect of the protocol which seeks to exchange this information; in that case, doing the exchange there makes most sense, since you can morph and change that for your particular requirements. In other words, I like the idea you presented in your follow up email. Does that seem like a okay solution for you? Or do you think you do have a compelling reason for adding the above semantics? Jason _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard