Data-integrity when tunneling off-site replication-data through Wireguard (and thus using UDP) ?

[SnoppyFloppy]

Hi

I want to connect my local TrueNAS server to my off-site TrueNAS server for off-site snapshot replication, and I am considering to tunnel the traffic through a Wireguard tunnel.

But Wireguard is running on UDP only, and as far as I know, that's not the ideal choice when data integrity is the upmost priority.

So my question is, whether it's safe - from a data-integrity point-of-view - to tunnel my off-site replication through Wireguard?

Thanks in advance!

 

[traeu]

As far as I know, this should be no problem! (but maybe someone else can confirm it).
Wireguard using UDP just means that the tunnel itself is not secured against packet loss. Not every packet you send into the tunnel can be expected to arrive, if the packet gets lost on the way inside the tunnel through the internet, wireguard will not notice and will not retry to send it.
Its the same like using wifi or a bad DSL connection: not every packet you send is guaranteed to arrive, they can get lost.
But it should be no problem for replication, because the protocol for replication will protect you against packet loss, I'm pretty sure it uses TCP. (would really make no sense if UDP was used for backup transfer, because packet loss can happen anywhere and always needs to be expected).
That means, you are running a TCP connection (replication protocol) inside an UDP connection (wireguard).
To my understanding, this is even better than having a TCP replication over a TCP tunnel (like TCP-openvpn for example), because that would be TCP inside TCP, which means lots of overhead per packet and slower speeds. One TCP is enough to secure the connection, there is no need for TCP over TCP.
Only if you would use an UDP connection (like a VoIP call or multiplayer-game) over wireguard, there would be a chance that packets get lost, but in that case, its wanted like this. In these UDP applications, you want the best speed and don't care about lost packets, and running them over a TCP-tunnel would lead to lost packets getting retransmitted, arriving late and getting dropped because they are not needed anymore.

--> The replication-protocol itself should be able to handle packet loss. TCP tunnels don't have advantages over UDP tunnels if you are using "free" internet. If your internet connection is restriced to web surfing, tunnels over TCP can be helpful because you can run them on TCP 443.

 

[SnoppyFloppy]

That makes a lot of sense and it was I am hoping for.

Can anyone else confirm?