I'm wondering if there is a maximum timeout period for Wireguard's handshake. It seems that the timeout is 180 seconds - when the latest handshake exceeds this limit, the Wireguard connection is dropped and needs to be reset. Am I right ?
When you say it needs to be reset, what exactly are you observing and what action is required on your part?
There is a keepalive field which will perform a periodic handshake if no traffic is otherwise flowing through the tunnel. That is typically useful for NAT Masqueraded connections.
I have configured the endpoint in /etc/config/network, but I've noticed that when a remote peer enables the persistent-keepalive function, it affects my local endpoint. In other words, the endpoint shown is from the remote peer, rather than the one I set up locally.
How can I ensure that the endpoint I set up locally is being used?
Is it possible to set up multiple endpoints for a single wg link? As I know the Luci interface only allows me to set up one endpoint.
Also I found when the recipient decrypts the data, it seems that the recipient does not verify the endpoint. Even if the endpoint does not match the endpoint configured locally, as long as the private key can decrypt the data, it will be accepted.
Is the question related to asymmetric routing?
In other words, is the remote peer sending you the packets from a different IP from the one you have configured as endpoint for the peer?
You usually only set an endpoint on one side.
One side is listening for incoming connections and does not have an endpoint, the other side is initiating a connection and has the endpoint which it uses to initiate a connection.
Theoretically it is possible to set endpoints on both sides after all WireGuard is symmetric.
But the sides which initiates the connections (e.g. by setting keep alive or initiating traffic) is the one which is shown as endpoint.
The endpoint is not part of the cryptokey routing that is only the public key and the allowed IP's.
As long as there is no traffic e.g. by setting a KeepAlive there is no connection.