December 28, 20241 yr So, I'm setting up Wireguard with the built-in VPN tool in settings. In the tunnel settings, the peer endpoint is pre-populated with the WAN IP address, so I assume this gets updated when my ISP hands out a new IP in the future. However, what about the client side? I have a domain whose DNS is managed by and with Cloudflare. The A entry is updated several times per day by a Cloudflare DDNS docker container. So, which domain can I make use of in the client peer endpoint setting, such that the client always points to my Unraid server? (Simply entering my domainname.org:<port> doesn't work, as the domain name resolves to a Cloudflare IP address.) EDIT: Just figured out after posting, a new CNAME (arbitrarily called DDNS) can be added in the Cloudflare DNS settings which is NOT proxied (DNS only) works perfectly in the client settings. I'm only wondering if this is somehow a less-than-secure way of accomplishing this. Edited December 28, 20241 yr by floepie05
December 29, 20241 yr Community Expert Solution Yes, WireGuard works perfectly with Fully Qualified Domain Names (FQDN) as the peer endpoint. This is a common setup for dynamic DNS (DDNS) configurations, where the server’s IP address may change due to the ISP. Here’s how it works and considerations regarding security ######## How FQDN Works in WireGuard WireGuard will resolve the FQDN to an IP address when the tunnel is initiated. If the IP address changes during an active session, WireGuard won't automatically re-resolve the FQDN. A manual restart of the tunnel or rekeying is required to update the endpoint IP address. ######### Using a Cloudflare DDNS + CNAME for WireGuard Your approach with a non-proxied (DNS only) CNAME record is correct. Here’s why and what to check: Advantages: Dynamic IP Support: By pointing your client to the FQDN (e.g., ddns.yourdomain.com), it will always resolve to your Unraid server’s updated WAN IP. Direct Connection: A non-proxied (DNS-only) CNAME avoids Cloudflare’s CDN and proxies, allowing the WireGuard client to reach your server directly. Security Considerations Non-Proxied Exposure: Since the CNAME is set to DNS-only, your server’s WAN IP address is directly exposed. This is necessary for WireGuard but increases exposure to potential scanning and attacks. -- Mitigation: Use a strong WireGuard private/public key setup. Only authorized peers with the correct keys can establish a connection. TLS vs. WireGuard: Unlike HTTPS behind a Cloudflare proxy, WireGuard handles encryption at the network layer. It doesn’t rely on Cloudflare for security, so the lack of proxying does not reduce WireGuard’s security. DNS Security: Ensure that the DNS settings for your Cloudflare domain are properly secured (e.g., strong API keys, two-factor authentication). This prevents an attacker from modifying DNS records. Alternative Approach: If you’re concerned about exposing your WAN IP: Consider using a dedicated subdomain for WireGuard, e.g., vpn.yourdomain.com, to avoid using the main domain’s records. Set up Cloudflare Zero Trust (if you want additional security layers) to protect DNS changes or other services. nginx reverse proxy server... Review your steps and Configure WireGuard with FQDN: Set up a non-proxied (DNS-only) CNAME or A record in Cloudflare for your dynamic IP. Example: CNAME: ddns.yourdomain.com → <dynamic IP updated by DDNS container> Use this domain (e.g., ddns.yourdomain.com:<port>) in your WireGuard client configuration as the Peer Endpoint. Ensure your DDNS Docker container updates the A record reliably. (Commands like dig and nslookup can be useful here) It sounds like you found the area to set.... Edited December 29, 20241 yr by bmartino1 fourm posted before ful data writting...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.