PiVPN with Wireguard unreliable when IP changes?


I’ve been using PiVPN with Wireguard on DietPi for a couple of weeks now and it generally works great. However, each time my external IP changes, it somehow stops working.

I’ve setup dynamic DNS on my router and tested it. It’s updating correctly.
In my Wireguard config, I’ve set pivpnHOST to the subdomain from the dynamic DNS provider. I haven’t setup dynamic DNS on DietPi though.

What could this be caused by? I’m clueless.

I guess it has something to do how your DDNS entry is updated. Ensure your client contains the correct DDNS domain that is updated correctly. It doesn’t matter how you setup dynamic DNS. As long as your system is reachable on extern with the correct external IP. Check that your subdomain is updated as well.

1 Like

I’ve checked my router, which in its web interface shows the current external IP, as well as the dynamic DNS provider, and dietpi with curl -s https://checkip.amazonaws.com. All three times the same IP was displayed.

The subdomain provided by the dynamic DNS provider is also correct in the Wireguard config.

As mentioned before, it always works when everything is setup fresh, but when the IP changes it breaks.

Thanks for your reply.

But this is not an issue of the Wireguard server installation. Because the server doesn’t care about your external IP. It matters for the client only. As the client is the one who needs to resolve the DDNS correctly to be able to connect. Next time the issue happens, check the sub domain and which external IP address it has assigned. You can use DNS lookup site like mxtoolbox

1 Like

OK, will do. Thanks.

Joulinar is correct, the problem comes not from your PiVPN, but from the connected client on the other side.
The way wireguard works, it only translates the DNS address when it starts up. Afterwards it keeps the same IP address as long as it’s up.

You can change the endpoint address manually in wireguard with the command:
wg set wg0 peer XXXX= endpoint dynamicaddress.domain.com

I added a crontab to do exactly this every night; at worst I need to wait 24 hours before a connection is restablished.

theoretically you could have it running every hour or even less :slight_smile:

That makes sense, however rebooting the Raspberry Pi didn’t solve my issue.

I don’t get it, since the “dynamicaddress.domain.com” never really changes. What’s the point of running this?

Thanks for your reply.

Which RPI you mean? The one hosting Wireguard server or the device being the client?

You need to run these commands on the “client” side, not on your RPi. No need to reboot the RPi.

You’re right that the name never changes, but as I said, Wireguard only looks up the name once. If your “server” (your RPi) changes its IP address and you update the dynamic name, Wireguard on the other side will not know that. You need the command to force it to look up again the new IP address you just dynamically updated.

PS: there is no notion of client/server in Wireguard, hence the " client " and " server " I wrote. Each machine is simply a peer.

This is not correct. You always have one server providing the peers a client could connect to. In your case, this is the PiVPN system. A server can’t connect to clients because he doesn’t know how to reach them. The connection is triggered by the client side only. Yes, at the end it is a peer but still it’s a client/server setup.

Technically, you could say that the machine that waits for a connection is a “server”, and the other machine (who knows the IP address to connect to) is the client.
This is all just hairsplitting, because if you setup 2 machines that each know the other’s IP address, then they are peers. It’s not a traditional client/server architecture. Each machine can be a client and a server.
This page resumes it well: Who is client and who is server in Wireguard? - TechOverflow

You can see it as you wish. Yes, it is true WireGuard application can have both roles depending on the configuration active. PiVPN is creating a server profile that is waiting for connection. But it can’t be used to connect to another side. For this, you would need to create an own/different configuration file that would need to be activated individually.

Oh sorry, the homelab one that’s hosting PiVPN & Wireguard.

Oh, I see. I don’t think I can run shell commands on my iPhone though.

The Raspberry Pi that hosts Wireguard is setup with a static IP address.

This doesn’t matter how the IP address is configured inside your local network. Your external IP of your ISP router is the important one. As this is the address your clients are connecting to.


I’ve had the same problem for weeks now.
I have a raspberry pi 4 with dietpi (pivpn, wireguard server, pihole, unbound, mqtt and influxdb) behind a Fritzbox 7490.

In order to get access to the heating system of the apartment building, I installed a gl inet router in the boiler room. This is registered as a client on the neighbor’s WLAN in order to connect the heating control system to the Internet.

Always worked for a while and suddenly the vpn was interrupted.

At first I thought it was the gl inet router and then deactivated the vpn function in the router and installed a raspberry pi 3 with dietpi and wireguard client there.

The result was the problem persisted.

After a few days of research I found a working solution and I don’t want to withhold it from you.

Wireguard Client withs dyndns Server

If necessary, this could be integrated into dietpi in the future.


1 Like

Indeed, Wireguard has issues on permanent connections, if DDNS IP address is going to be changed. The script looks like a good addition to the client configuration. wireguard-tools/contrib/reresolve-dns at master · WireGuard/wireguard-tools · GitHub

@MichaIng FYA

I opened a request on GitHub: DietPi-Software | WireGuard: Add optional DDNS update script on client setup · Issue #6049 · MichaIng/DietPi · GitHub


Oh, I wish I hadn’t run this script!! Now, I get a DNS resolution error on my mobile device when I try to connect to PiVPN/Wireguard…

Yesterday, I had a new router (Fritzbox) installed by the ISP. I had to re-setup dynamic DNS and port forwarding (port 51820) for Wireguard, but couldn’t get it to work. Maybe I forgot something?

Rebooting didn’t solver the issue.

the script is designed not to be executed on server side. It should be running on the client to obtain correct DDNS/IP address to be able to connect to server. A typical scenario would be a permanent connection from client to server were server external IP change regular.

But in your case, it is not needed. You would need to verify your DDNS having the correct external IP address, port forwarding done to correct local device IP, client having the correct settings aso. Furthermore, there is a log option on client side. Have a look. Maybe there is a hint why connection could not be established.

1 Like