Allow PersistentKeepalive on peers with no endpoints #217
Description
Problem
I noticed that wireguard_persistent_keepalive was not being templated for peers that don't have endpoints, seemingly from these lines.
So for example, if I wanted a "client-server" configuration where the client is behind a NAT and doesn't explicitly have an endpoint set, the server would generate a [Peer] block for the client without any PersistentKeepalive, despite wireguard_persistent_keepalive being set on all hosts.
Firstly, I can confirm that setting a PersistentKeepalive even without an endpoint set seems to work, based on the tcpdump traffic I was seeing. Not sure if this is a new feature or what relevant versions I should be checking, but wg --version shows wireguard-tools v1.0.20210914 on the server.
Motivation
As for why this might be useful:
- I have a TCP program listening on my wireguard client that my wireguard server might need to connect to every so often.
- I already have
PersistentKeepaliveset for client->server because my client is behind a NAT. - On the server, when I send a TCP probe to the program listening on the client through the wireguard tunnel, it'll take a while (~30s) for the probe to complete if I didn't probe it recently.
- Afterwards, it's instantaneous unless I stop probing it for an extended period of time.
However, when PersistentKeepalive is set for server->client, the probe seems to always be instantaneous.
Remarks
I'm not quite sure why this is the case, since the PersistentKeepalive for client->server should be all that's needed to keep the NAT mapping open. Maybe something else is going on, but in any case, even if the client doesn't have an endpoint, having a PersistentKeepalive for server->client seems to be a legitimate use case.
I see that #215 is related, but I'm not sure if we're talking about the same thing and I believe this post gives more detail into the problem, its motivations, and solutions.
Additionally, if there's a better solution than setting PersistentKeepalive for server->client, I'd be happy to try it.
Proposal
I understand that some people may be expecting or even relying on PersistentKeepalive not being set for peers without endpoints set, so I think a reasonable solution is to add a variable like wireguard_persistent_keepalive_override: true|false, defaulting to false. If it's true, we'll add the PersistentKeepalive even if the endpoint isn't set. Or, any solution that keeps the current behavior by default while allowing a way to add PersistentKeepalive would be great.