OpenBSD wireguard DynDNS IP check

If you have wireguard server peer with dynamic ip address you should know, that wireguard resolve peer DNS name just once, during tunnel startup.

So you should check peer address regularly and update it, otherwise tunnel will fail after some time.

There a some scripts to solve this problem, but some are complicate and does not work, some are for different platforms (links below).

I found simple solution and finetune this to use ounder OpenBSD system (doas).

So to the point...

Every Wireguard peer has following structure in tunnel configuration:

[Peer]
PublicKey = z9AjVWvXVA2xyReRb6sggrE+M5YilIEplYMJHHLp/nw=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = mypeer.dyndns.net:51820

To check IP of this peer you can use this command in OpenBSD:

doas wg show wg0-client endpoints | grep -E "HHLp/nw=" | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}"

To check and update peer IP you can use following script:

#!/usr/local/bin/bash
# IP address validation for specified peers
# wg0: Wireguard interface device
# mypeer.dyndns.net: dns peer address to resolve
# cip - define part of peer public key, also insert peer poublic key in wg set command
#based on:
#https://www.tech-blogger.net/en/wireguard-peer-ip-check/
#modified for *bsd systems
        
cip=$(doas wg show wg1 endpoints | grep -E "HHLp/nw=" | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}")   
echo "$cip"
digIP=$(dig +short mypeer.dyndns.net) # The address of the peer must be adapted
   echo "$digIP"
     if [ "$digIP" != "$cip" ]
       then
          echo "IP addresses are different"
          doas wg set wg1 peer z9AjVWvXVA2xyReRb6sggrE+M5YilIEplYMJHHLp/nw= endpoint mypeer.dyndns.net:51820
            
        else 
    echo "DNS name doesn't change"
    #we do nothing ;-)
   fi

Above script should be triggered on regular intervals from crontab.

This is based on following article:

Other scripts: