[client] Recover from rosenpass key desync#6714
Conversation
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Release artifactsBuilt for PR head
GHCR images (amd64)
This comment is updated by the Release workflow. Artifact links expire according to the workflow retention policy. |



Describe your changes
Recovers WireGuard tunnels that stay down after the rosenpass-managed preshared keys desync between two peers. Because the rosenpass renewal exchange runs over the tunnel that the preshared key itself secures, a desync cannot self-repair: the dead tunnel blocks the very exchange that would fix it. Two independent mechanisms restore convergence:
Note: recovery requires both ends to run this change. A peer on an older version that latched a one-sided key cannot be recovered from the remote side until it restarts or upgrades. Expiry timers on the two ends are not synchronized, so there can be a brief window where the ends hold different keys before the next expiry converges them.
Issue ticket number and link
Stack
0.74.4-branch-Checklist
Documentation
Select exactly one:
Internal recovery behavior with no user-facing configuration or API surface.
Docs PR URL (required if "docs added" is checked)
Paste the PR link from https://github.com/netbirdio/docs here:
https://github.com/netbirdio/docs/pull/__
Summary by CodeRabbit
New Features
Bug Fixes