Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Wireguard - does it work with FQDN as peer endpoint?

Featured Replies

So, I'm setting up Wireguard with the built-in VPN tool in settings.  In the tunnel settings, the peer endpoint is pre-populated with the WAN IP address, so I assume this gets updated when my ISP hands out a new IP in the future.  However, what about the client side?  

I have a domain whose DNS is managed by and with Cloudflare.  The A entry is updated several times per day by a Cloudflare DDNS docker container. 

So, which domain can I make use of in the client peer endpoint setting, such that the client always points to my Unraid server?  (Simply entering my domainname.org:<port> doesn't work, as the domain name resolves to a Cloudflare IP address.)

 

EDIT:  Just figured out after posting, a new CNAME (arbitrarily called DDNS) can be added in the Cloudflare DNS settings which is NOT proxied (DNS only) works perfectly in the client settings.  I'm only wondering if this is somehow a less-than-secure way of accomplishing this.  

Edited by floepie05

Solved by bmartino1

  • Community Expert
  • Solution

Yes, WireGuard works perfectly with Fully Qualified Domain Names (FQDN) as the peer endpoint. This is a common setup for dynamic DNS (DDNS) configurations, where the server’s IP address may change due to the ISP.

 

Here’s how it works and considerations regarding security

 

########

How FQDN Works in WireGuard

WireGuard will resolve the FQDN to an IP address when the tunnel is initiated.

If the IP address changes during an active session, WireGuard won't automatically re-resolve the FQDN. A manual restart of the tunnel or rekeying is required to update the endpoint IP address.

#########

 

Using a Cloudflare DDNS + CNAME for WireGuard


 

Your approach with a non-proxied (DNS only) CNAME record is correct. Here’s why and what to check:

Advantages:

Dynamic IP Support: By pointing your client to the FQDN (e.g., ddns.yourdomain.com), it will always resolve to your Unraid server’s updated WAN IP.

Direct Connection: A non-proxied (DNS-only) CNAME avoids Cloudflare’s CDN and proxies, allowing the WireGuard client to reach your server directly.

 

Security Considerations

Non-Proxied Exposure: Since the CNAME is set to DNS-only, your server’s WAN IP address is directly exposed. This is necessary for WireGuard but increases exposure to potential scanning and attacks.

-- Mitigation: Use a strong WireGuard private/public key setup. Only authorized peers with the correct keys can establish a connection.

 

TLS vs. WireGuard: Unlike HTTPS behind a Cloudflare proxy, WireGuard handles encryption at the network layer. It doesn’t rely on Cloudflare for security, so the lack of proxying does not reduce WireGuard’s security.

 

DNS Security: Ensure that the DNS settings for your Cloudflare domain are properly secured (e.g., strong API keys, two-factor authentication). This prevents an attacker from modifying DNS records.

 

Alternative Approach:

If you’re concerned about exposing your WAN IP:

Consider using a dedicated subdomain for WireGuard, e.g., vpn.yourdomain.com, to avoid using the main domain’s records.

Set up Cloudflare Zero Trust (if you want additional security layers) to protect DNS changes or other services.

nginx reverse proxy server...

 

Review your steps and Configure WireGuard with FQDN:

Set up a non-proxied (DNS-only) CNAME or A record in Cloudflare for your dynamic IP.
Example:

CNAME: ddns.yourdomain.com → <dynamic IP updated by DDNS container>

Use this domain (e.g., ddns.yourdomain.com:<port>) in your WireGuard client configuration as the Peer Endpoint.

Ensure your DDNS Docker container updates the A record reliably.

(Commands like dig and nslookup can be useful here)
 

It sounds like you found the area to set....

Edited by bmartino1
fourm posted before ful data writting...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.