Page MenuHomeVyOS Platform

Wireguard allow use of hostname as endpoint
Closed, WontfixPublicFEATURE REQUEST

Description

Current implementation of wireguard in VyOS does not allow for use of hostname as endpoint for the VPN tunnel.

This should be supported in VyOS as default implementation of Wireguard on all other platforms ( Windows, Mac, Linux and Android)

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Behavior change

Event Timeline

runar claimed this task.
runar added a subscriber: runar.

This is disallowed by design by the VyOS team. the reason for this is partly because of the configuration order done by VyOS and how the dns lookup is handled by Wireguard.
Yes, the wg configuration utillity DOES handle DNS lookups, but NO, Wireguard does not handle them. This means that the DNS lookups is done once (and only once) when the wg command is executed on creation of the tunnel and then the resulting ip result is stored in wireguard. this results in the dns lookup will fail after a reboot of the VyOS device because it cant resolve the dns of the endpoint at that point (this is done before routing is enabled on the device)

for more information se here: https://forum.vyos.io/t/wireguard-doesnt-allow-use-of-dns-for-remote-peer-endpoint/5314 and https://phabricator.vyos.net/T1700

i will close this as wontfix as this needs a redesign in wireguard to be allowed.

as a workaround you could add this to a post-boot script on the device.

In T2943#76739, @runar wrote:

as a workaround you could add this to a post-boot script on the device.

And do custom scripts on my VyOS instance to set a static hostname ? Sorry but can you hear how backwards that is ?

You want to make a compelling NOS but not add compelling features such as: fail2ban, QR codes for wireguard, hostname endpoint for wireguard etc.
I keep running into inconsistency between routers that were updated and newly spun up routers with same software acting different despite being on the same hypervisor, same hardware, same everything except one was spun up 6 months ago and updated and another was spun up today and runs the same software versions.

I get it this is a open source project and i get you guys are spending loads of time, your own free time as well.
But when i see multiple phabricator requests, multiple forum posts for the same thing that gets #wontfix and you still don't consider it for a future release then how is this a community more than Netgate is a community with pfSense ? or Ubiquiti for that matter ?
I have truly starting lost faith in this project today and will start looking for alternatives as this is getting to the point of ridiculousness for me.

Trying to configure a wireguard peer with a dns name as remote endpoint. I understand this is not supported, but I see many references to creating a post-boot script to do this. Any working examples? Thank you