Endpoint failover ip

Daniel Gröber dxld at darkboxed.org
Mon Jul 31 22:27:44 UTC 2023

Hi Daniel,

On Mon, Jul 31, 2023 at 11:39:35PM +0200, Daniel wrote:
> I create a hostname with few IPs v4 & v6 for my wireguard server. I faced
> today a problem that after a failure with the ip a customer wg was
> registered, it continue to try to register with this ip insteed to fallback
> to another one.

Your message is hard to parse, but I think you're having the same v4/v6
failover problem as me. See my patch "wg: Support restricting address
family of DNS resolved Endpoint":


which has yet to get any attention from Jason unfortunately.

The headline is this: wireguard doesn't support multiple endpoints so you
have to be careful with how you setup your host records. At the moment you
can't just throw multiple IPs in there and hope for the best. Wg will stick
to whatever IP the system picks when the tunnel comes up.

> Is there a way to avoid this problem and to get failover working properly
> with wireguard ?

There isn't any wg native solution[1] right now, only hacky
workarounds. You basically need one wg tunnel per unique endpoint but once
you do that routing becomes an issue. Plain static routes wont cut it
anymore. On top of that using an endpoint domain with multiple IPs is a
problem. Things are easier if you stick to one IP per domain or just
hardcode one endpoint IP for each of the many tunnels.

[1]: Supporting multiple active endpoints is where we have to head to fix
this properly IMO, see my recent proposal

Anyway with the many wg tunnels one could then write a script to ping
through the tunnels and switch the appropriate route to the one that
responds. This has to happen at both ends of the tunnel. Me personally, I
just use an easy to setup routing daemon (babeld) to do that.


More information about the WireGuard mailing list