This is an automated archive.
The original was posted on /r/wireguard by /u/HarvsG on 2023-12-23 00:08:02+00:00.
I want to have a native WireGuard mesh for site-to-site connections (I currently use Tailscale but have performance issues and want to completely self-host).
However, most of the sites have a dynamic IP and I'd rather not give them all a public DDNS entry (because of reverse DNS lookups and whois searches). I have one cloud VPS with a static IP and pihole installed.
Could I use the VPS to bootstrap the mesh by doing the following?
- Configure all members of the mesh to use the VPS as the DNS server.
- Configure fake DNS entries for each client that is somehow dynamically updated by a client when it connects to the VPS (I wonder if I could do this with the post-up command and an API call to pihole)
[Interface]
PrivateKey = client1privatekey
Address = 10.10.0.2/24
DNS = 10.10.0.1
[Peer]
PublicKey = vpspublickey
PresharedKey = somepsk
AllowedIPs = 10.10.0.1/32
Endpoint = 123.456.78.9:51820
[Peer]
PublicKey = client2publickey
PresharedKey = someotherpsk
AllowedIPs = 10.10.0.2/32, 192.168.5.0/24
Endpoint = client2.somefakedomain.vpn:51820
[Peer]
PublicKey = client3publickey
PresharedKey = someother1psk
AllowedIPs = 10.10.0.3/32, 192.168.6.0/24
Endpoint = client3.somefakedomain.vpn:51820
- Then when a new client x starts its connection the following will happen in order:
- It tries to connect to all peers, most connections will fail because the domain lookups will fail.
- It will successfully connect to the VPS as it exists at a static IP
- The post-up command will update the pihole DNS entry on the VPS (clientx.somefakedomain.vpn) with its own external IP
- It will retry connections to the other peers but now the DNS entries will be successfully resolved by the VPS pihole DNS server.
- all peer connections are successfully made
- ...
- Profit?
Notes to self: PiHole API Endpoint Edit: I'm gonna have issues with ports aren't I?
I'll have to open 51820 on each client....