OpenBSD wireguard DynDNS IP check

Tuesday, July 20th 2021

If you have wireguard server peer with dynamic ip address you should know, that wireguard resolve peer DNS name just once, during tunnel startup.

So you should check peer address regularly and update it, otherwise tunnel will fail after some time.

There a some scripts to solve this problem, but some are complicate and does not work, some are for different platforms (links below).

I found simple solution and finetune this to use ounder OpenBSD system (doas).

So to the point...

Every Wireguard peer has following structure in tunnel configuration:

PublicKey = z9AjVWvXVA2xyReRb6sggrE+M5YilIEplYMJHHLp/nw=
AllowedIPs =, ::/0
Endpoint =

To check IP of this peer you can use this command in OpenBSD:

doas wg show wg0-client endpoints | grep -E "HHLp/nw=" | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}"

To check and update peer IP you can use following script:

# IP address validation for specified peers
# wg0: Wireguard interface device
# dns peer address to resolve
# cip - define part of peer public key, also insert peer poublic key in wg set command
#based on:
#modified for *bsd systems
cip=$(doas wg show wg1 endpoints | grep -E "HHLp/nw=" | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}")   
echo "$cip"
digIP=$(dig +short # The address of the peer must be adapted
   echo "$digIP"
     if [ "$digIP" != "$cip" ]
          echo "IP addresses are different"
          doas wg set wg1 peer z9AjVWvXVA2xyReRb6sggrE+M5YilIEplYMJHHLp/nw= endpoint
    echo "DNS name doesn't change"
    #we do nothing ;-)

Above script should be triggered on regular intervals from crontab.

This is based on following article:

Other scripts:


CoreDNS plugin:


Native solution , but too complicated ;-)

Other solution, based on latest-handshake time detection: