DNS Updates to WireGuard Endpoints

A side benefit of running the Pro Custodibus agent on a host is that if you use domain names to identify your WireGuard endpoints, when the DNS record for an endpoint changes, the agent will automatically update WireGuard accordingly. WireGuard itself only resolves endpoint domain names when it starts up — so if you change the IP address of an existing WireGuard server, like when you replace an old server, or if you use DNS failover to provide redundancy among two or more WireGuard servers, and one server fails — clients of the old server will continue to try to connect to the old IP address without ever checking DNS for a new IP address.

For example, say a client is configured to connect to a WireGuard server with a DNS name of vpn.example.com, using the following configuration file:

# /etc/wireguard/wg0.conf
[Interface]
PrivateKey = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEE=
Address = 10.0.0.1/32

[Peer]
PublicKey = fE/wdxzl0klVp/IR8UcaoGUMjqaWi3jAd7KzHKFS6Ds=
Endpoint = vpn.example.com:51820
AllowedIPs = 10.0.0.0/24

And say you’ve set up vpn.example.com with DNS load-balancing between two identical WireGuard servers, one at an IP address of 198.51.100.10, and the other at 203.0.113.20:

$ dig +short vpn.example.com
198.51.100.10
203.0.113.20

When the WireGuard interface of the client starts up, it will resolve the DNS record for vpn.example.com, and select one of the IP addresses to use as its endpoint for the server. Let’s say it selects 198.51.100.10.

Now let’s say the WireGuard server at 198.51.100.10 becomes unavailable, and your DNS servers remove it from their vpn.example.com responses. Your client will continue to try to access the WireGuard server at 198.51.100.10, even though the DNS record for vpn.example.com now only contains 203.0.113.20:

$ dig +short vpn.example.com
203.0.113.20

$ sudo wg show wg0
interface: wg0
 public key: /TOE4TKtAqVsePRVR+5AA43HkAK5DSntkOCO7nYq5xU=
 private key: (hidden)
 listening port: 51234

peer: fE/wdxzl0klVp/IR8UcaoGUMjqaWi3jAd7KzHKFS6Ds=
 endpoint: 198.51.100.10:51820
 allowed ips: 10.0.0.0/24
 latest handshake: 12 minutes, 34 seconds ago
 transfer: 123 MB received, 234 MB sent

The only built-in way for a WireGuard client to detect a change to an endpoint’s IP address is if the endpoint proactively initiates a connection to the client from its new IP address (which NAT or other firewall rules make impossible in a typical client-server scenario) — so normally you’d have to restart the client in order to force it to look up the new IP address of the server.

However, if you have the Pro Custodibus agent running on the client, the agent will automatically look up the DNS record for vpn.example.com, see that WireGuard is no longer using an IP address included in the record, and update the client to use a new IP address for the server (203.0.113.20 in this case):

$ sudo wg show wg0
interface: wg0
 public key: /TOE4TKtAqVsePRVR+5AA43HkAK5DSntkOCO7nYq5xU=
 private key: (hidden)
 listening port: 51234

peer: fE/wdxzl0klVp/IR8UcaoGUMjqaWi3jAd7KzHKFS6Ds=
 endpoint: 203.0.113.20:51820
 allowed ips: 10.0.0.0/24
 latest handshake: 12 seconds ago
 transfer: 124 MB received, 235 MB sent

This is similar to the functionality of the reresolve-dns.sh script from the wireguard-tools source code repository, which you can manually install and run as a cron job on each client. With Pro Custodibus, however, this feature is automatically built into the agent, so you don’t have to install and configure a separate script to manage it.