Ideas for getting Wireguard to work with hostname instead of IP address

ajgnet · April 19, 2022, 4:12pm

We use WireGuard to connect to various endpoints with dynamic IP addresses. However, VyOS does not currently support hostname addresses and requires a static IP (Example: 1.2.3.4 below).

wireguard wg110 {
        address xxx.xxx.60.2/32
        description remote network
        mtu 1420
        peer xxxxx.tld {
            address 1.2.3.4
            allowed-ips xxx.xxx.0.0/0
            allowed-ips ::/0
            persistent-keepalive 10
            port 51820
            preshared-key ****************
            public-key ****************
        }
        port 51822
        private-key xxxxxx
    }

Until this feature gets developed, is there a way in VyOS to write a script to update the IP (resolve hostname to IP address) at reboot?

How would the script execute – is there a config command to call a script on boot, for example? Or a way to call it with cron?

Where should the script be saved so it survives system upgrades?

What would the script update (config.boot?) and how should the updated configuration be loaded?

And lastly, what technique might one use to “find and replace” the old IP address under the wg peer, and update it with the new one?

Happy to write something like this for the community, but not sure how best to apply it to VyOS.

Lean · April 19, 2022, 10:15pm

Hi @ajgnet,

you can check our document page that will guide you across your questions, i think most of them are answered there!

https://docs.vyos.io/en/latest/automation/command-scripting.html

please read carefully there are some thing that you need to include in the scripts for them to work properly.

Thanks!

ajgnet · April 19, 2022, 11:51pm

That’s great, thank you! Any resources for sample scripts?

buddyp · April 22, 2022, 5:16pm

In addition to a wireguard config like you have in your post I use this script to update the tunnel with the dynamically assigned IP address, which is pointed to by a dynamically assigned DNS entry using a service like DynDNS:

/config/scripts$ cat update-wg0.sh
#!/bin/sh

sudo wg set wg0 peer <public key> endpoint <dynamic dns hostname>:<port num>

and I have a scheduled task in the normal config that runs this script every minute:

    task-scheduler {
        task update-wg0 {
            executable {
                path /config/scripts/update-wg0.sh
            }
            interval 1
        }
    }

ajgnet · April 22, 2022, 5:39pm

Never considered directly altering the wg peer. I wrote a script that modifies the VyOS config without “talking behind its back” … it gets called on startup. I could also add to task-scheduler but these IPs rarely change. Any suggestions to improve greatly appreciated.

/config/scripts/wg-peer-111.script

#!/bin/vbash

if [ "$(id -g -n)" != 'vyattacfg' ] ; then
    exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi
source /opt/vyatta/etc/functions/script-template

newIP=$(getent hosts remote-host.example.com | awk '{ print $1 }')
oldIP=$(run show interfaces wireguard wg111 endpoints | awk '{ print $2 }' | awk -F ':' '{ print $1 }')

echo $newIP
echo $oldIP

if [ $newIP != $oldIP ]
then
        configure
        set interfaces wireguard wg111 peer location1 address $newIP
        commit
        save
fi

/config/scripts/vyos-postconfig-bootup.script

#Call local scripts
/config/scripts/wg-peer-111.script