DNS Updates to WireGuard Endpoints
A side benefit of running the Pro Custodibus agent on a host is that if you use domain names to identify your WireGuard endpoints, when the DNS record for an endpoint changes, the agent will automatically update WireGuard accordingly. WireGuard itself only resolves endpoint domain names when it starts up — so if you change the IP address of an existing WireGuard server, like when you replace an old server, or if you use DNS failover to provide redundancy among two or more WireGuard servers, and one server fails — clients of the old server will continue to try to connect to the old IP address without ever checking DNS for a new IP address.
For example, say a client is configured to connect to a WireGuard server with a DNS name of
vpn.example.com, using the following configuration file:
# /etc/wireguard/wg0.conf [Interface] PrivateKey = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEE= Address = 10.0.0.1/32 [Peer] PublicKey = fE/wdxzl0klVp/IR8UcaoGUMjqaWi3jAd7KzHKFS6Ds= Endpoint = vpn.example.com:51820 AllowedIPs = 10.0.0.0/24
And say you’ve set up
vpn.example.com with DNS load-balancing between two identical WireGuard servers, one at an IP address of
198.51.100.10, and the other at
$ dig +short vpn.example.com 198.51.100.10 203.0.113.20
When the WireGuard interface of the client starts up, it will resolve the DNS record for
vpn.example.com, and select one of the IP addresses to use as its endpoint for the server. Let’s say it selects
Now let’s say the WireGuard server at
198.51.100.10 becomes unavailable, and your DNS servers remove it from their
vpn.example.com responses. Your client will continue to try to access the WireGuard server at
198.51.100.10, even though the DNS record for
vpn.example.com now only contains
$ dig +short vpn.example.com 203.0.113.20 $ sudo wg show wg0 interface: wg0 public key: /TOE4TKtAqVsePRVR+5AA43HkAK5DSntkOCO7nYq5xU= private key: (hidden) listening port: 51234 peer: fE/wdxzl0klVp/IR8UcaoGUMjqaWi3jAd7KzHKFS6Ds= endpoint: 198.51.100.10:51820 allowed ips: 10.0.0.0/24 latest handshake: 12 minutes, 34 seconds ago transfer: 123 MB received, 234 MB sent
The only built-in way for a WireGuard client to detect a change to an endpoint’s IP address is if the endpoint proactively initiates a connection to the client from its new IP address (which NAT or other firewall rules make impossible in a typical client-server scenario) — so normally you’d have to restart the client in order to force it to look up the new IP address of the server.
However, if you have the Pro Custodibus agent running on the client, the agent will automatically look up the DNS record for
vpn.example.com, see that WireGuard is no longer using an IP address included in the record, and update the client to use a new IP address for the server (
203.0.113.20 in this case):
$ sudo wg show wg0 interface: wg0 public key: /TOE4TKtAqVsePRVR+5AA43HkAK5DSntkOCO7nYq5xU= private key: (hidden) listening port: 51234 peer: fE/wdxzl0klVp/IR8UcaoGUMjqaWi3jAd7KzHKFS6Ds= endpoint: 203.0.113.20:51820 allowed ips: 10.0.0.0/24 latest handshake: 12 seconds ago transfer: 124 MB received, 235 MB sent
This is similar to the functionality of the reresolve-dns.sh script from the
wireguard-tools source code repository, which you can manually install and run as a cron job on each client. With Pro Custodibus, however, this feature is automatically built into the agent, so you don’t have to install and configure a separate script to manage it.