Hi, Wireguard isn't completely stateless. It has connections and state, even though it is comparably small and transient.
Wireguard roaming supports changing IPs. An authenticated packet updates the ip and all works well. Changing hosts requires a rekey (to re-establish transient keys), and that won't be automatically triggered by unauthenticated gibberish, so plain switching won't work immediately. If you don't mind a relatively short outage when switching, it should work fine. In your setup, where H,A,B are wg nodes, and (H)A - B is switched to (A)H - B B->HA traffic will be lost (considered junk) until either - B's timer expires and a B->H rekey is issued (maybe 10s of seconds?) - H->B traffic and/or timer initiates a H->B rekey If HA can initate traffic to B, you may be able to rig a rekey soon, with a <1s outage, or even lossless in some circumstances, but you are going against the design of a host-to-host "stateless" vpn. Real hot-standby HA VPNs with transparent lossless switching on the HA side usually share their ephemeral keys. Regards, Ivan _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard