PiVPN with Wireguard unreliable when IP changes?


I’ve been using PiVPN with Wireguard on DietPi for a couple of weeks now and it generally works great. However, each time my external IP changes, it somehow stops working.

I’ve setup dynamic DNS on my router and tested it. It’s updating correctly.
In my Wireguard config, I’ve set pivpnHOST to the subdomain from the dynamic DNS provider. I haven’t setup dynamic DNS on DietPi though.

What could this be caused by? I’m clueless.

I guess it has something to do how your DDNS entry is updated. Ensure your client contains the correct DDNS domain that is updated correctly. It doesn’t matter how you setup dynamic DNS. As long as your system is reachable on extern with the correct external IP. Check that your subdomain is updated as well.

1 Like

I’ve checked my router, which in its web interface shows the current external IP, as well as the dynamic DNS provider, and dietpi with curl -s https://checkip.amazonaws.com. All three times the same IP was displayed.

The subdomain provided by the dynamic DNS provider is also correct in the Wireguard config.

As mentioned before, it always works when everything is setup fresh, but when the IP changes it breaks.

Thanks for your reply.

But this is not an issue of the Wireguard server installation. Because the server doesn’t care about your external IP. It matters for the client only. As the client is the one who needs to resolve the DDNS correctly to be able to connect. Next time the issue happens, check the sub domain and which external IP address it has assigned. You can use DNS lookup site like mxtoolbox

1 Like

OK, will do. Thanks.

Joulinar is correct, the problem comes not from your PiVPN, but from the connected client on the other side.
The way wireguard works, it only translates the DNS address when it starts up. Afterwards it keeps the same IP address as long as it’s up.

You can change the endpoint address manually in wireguard with the command:
wg set wg0 peer XXXX= endpoint dynamicaddress.domain.com

I added a crontab to do exactly this every night; at worst I need to wait 24 hours before a connection is restablished.

theoretically you could have it running every hour or even less :slight_smile:

That makes sense, however rebooting the Raspberry Pi didn’t solve my issue.

I don’t get it, since the “dynamicaddress.domain.com” never really changes. What’s the point of running this?

Thanks for your reply.

Which RPI you mean? The one hosting Wireguard server or the device being the client?

You need to run these commands on the “client” side, not on your RPi. No need to reboot the RPi.

You’re right that the name never changes, but as I said, Wireguard only looks up the name once. If your “server” (your RPi) changes its IP address and you update the dynamic name, Wireguard on the other side will not know that. You need the command to force it to look up again the new IP address you just dynamically updated.

PS: there is no notion of client/server in Wireguard, hence the " client " and " server " I wrote. Each machine is simply a peer.

This is not correct. You always have one server providing the peers a client could connect to. In your case, this is the PiVPN system. A server can’t connect to clients because he doesn’t know how to reach them. The connection is triggered by the client side only. Yes, at the end it is a peer but still it’s a client/server setup.

Technically, you could say that the machine that waits for a connection is a “server”, and the other machine (who knows the IP address to connect to) is the client.
This is all just hairsplitting, because if you setup 2 machines that each know the other’s IP address, then they are peers. It’s not a traditional client/server architecture. Each machine can be a client and a server.
This page resumes it well: Who is client and who is server in Wireguard? - TechOverflow

You can see it as you wish. Yes, it is true WireGuard application can have both roles depending on the configuration active. PiVPN is creating a server profile that is waiting for connection. But it can’t be used to connect to another side. For this, you would need to create an own/different configuration file that would need to be activated individually.

Oh sorry, the homelab one that’s hosting PiVPN & Wireguard.

Oh, I see. I don’t think I can run shell commands on my iPhone though.

The Raspberry Pi that hosts Wireguard is setup with a static IP address.

This doesn’t matter how the IP address is configured inside your local network. Your external IP of your ISP router is the important one. As this is the address your clients are connecting to.