I’ve been using PiVPN with Wireguard on DietPi for a couple of weeks now and it generally works great. However, each time my external IP changes, it somehow stops working.
I’ve setup dynamic DNS on my router and tested it. It’s updating correctly.
In my Wireguard config, I’ve set pivpnHOST to the subdomain from the dynamic DNS provider. I haven’t setup dynamic DNS on DietPi though.
I guess it has something to do how your DDNS entry is updated. Ensure your client contains the correct DDNS domain that is updated correctly. It doesn’t matter how you setup dynamic DNS. As long as your system is reachable on extern with the correct external IP. Check that your subdomain is updated as well.
I’ve checked my router, which in its web interface shows the current external IP, as well as the dynamic DNS provider, and dietpi with curl -s https://checkip.amazonaws.com. All three times the same IP was displayed.
The subdomain provided by the dynamic DNS provider is also correct in the Wireguard config.
As mentioned before, it always works when everything is setup fresh, but when the IP changes it breaks.
But this is not an issue of the Wireguard server installation. Because the server doesn’t care about your external IP. It matters for the client only. As the client is the one who needs to resolve the DDNS correctly to be able to connect. Next time the issue happens, check the sub domain and which external IP address it has assigned. You can use DNS lookup site like mxtoolbox
Joulinar is correct, the problem comes not from your PiVPN, but from the connected client on the other side.
The way wireguard works, it only translates the DNS address when it starts up. Afterwards it keeps the same IP address as long as it’s up.
You can change the endpoint address manually in wireguard with the command: wg set wg0 peer XXXX= endpoint dynamicaddress.domain.com
I added a crontab to do exactly this every night; at worst I need to wait 24 hours before a connection is restablished.
You need to run these commands on the “client” side, not on your RPi. No need to reboot the RPi.
You’re right that the name never changes, but as I said, Wireguard only looks up the name once. If your “server” (your RPi) changes its IP address and you update the dynamic name, Wireguard on the other side will not know that. You need the command to force it to look up again the new IP address you just dynamically updated.
PS: there is no notion of client/server in Wireguard, hence the " client " and " server " I wrote. Each machine is simply a peer.
This is not correct. You always have one server providing the peers a client could connect to. In your case, this is the PiVPN system. A server can’t connect to clients because he doesn’t know how to reach them. The connection is triggered by the client side only. Yes, at the end it is a peer but still it’s a client/server setup.
Technically, you could say that the machine that waits for a connection is a “server”, and the other machine (who knows the IP address to connect to) is the client.
This is all just hairsplitting, because if you setup 2 machines that each know the other’s IP address, then they are peers. It’s not a traditional client/server architecture. Each machine can be a client and a server.
This page resumes it well: Who is client and who is server in Wireguard? - TechOverflow
You can see it as you wish. Yes, it is true WireGuard application can have both roles depending on the configuration active. PiVPN is creating a server profile that is waiting for connection. But it can’t be used to connect to another side. For this, you would need to create an own/different configuration file that would need to be activated individually.
This doesn’t matter how the IP address is configured inside your local network. Your external IP of your ISP router is the important one. As this is the address your clients are connecting to.
I’ve had the same problem for weeks now.
I have a raspberry pi 4 with dietpi (pivpn, wireguard server, pihole, unbound, mqtt and influxdb) behind a Fritzbox 7490.
In order to get access to the heating system of the apartment building, I installed a gl inet router in the boiler room. This is registered as a client on the neighbor’s WLAN in order to connect the heating control system to the Internet.
Always worked for a while and suddenly the vpn was interrupted.
At first I thought it was the gl inet router and then deactivated the vpn function in the router and installed a raspberry pi 3 with dietpi and wireguard client there.
The result was the problem persisted.
After a few days of research I found a working solution and I don’t want to withhold it from you.
Oh, I wish I hadn’t run this script!! Now, I get a DNS resolution error on my mobile device when I try to connect to PiVPN/Wireguard…
Yesterday, I had a new router (Fritzbox) installed by the ISP. I had to re-setup dynamic DNS and port forwarding (port 51820) for Wireguard, but couldn’t get it to work. Maybe I forgot something?
the script is designed not to be executed on server side. It should be running on the client to obtain correct DDNS/IP address to be able to connect to server. A typical scenario would be a permanent connection from client to server were server external IP change regular.
But in your case, it is not needed. You would need to verify your DDNS having the correct external IP address, port forwarding done to correct local device IP, client having the correct settings aso. Furthermore, there is a log option on client side. Have a look. Maybe there is a hint why connection could not be established.