⁄etc⁄systemd⁄scripts⁄wg-reresolve-dns

#!/bin/bash
set -euo pipefail

declare -r IFACE=${IFACE:-wg0}
declare -r CONFIG_FILE=${CONFIG_FILE:-/etc/systemd/network/90-${IFACE}.netdev}
declare -r BASE_TIME=${BASE_TIME:-$(date -d '5 minutes ago' +%s)}

declare -A PEERS=()
declare PEER_SECTION= PUBLIC_KEY= ENDPOINT=

while read -r line; do
	if [[ ${PEER_SECTION} -eq 1 && ${line} == PublicKey=* ]]; then
		PUBLIC_KEY=${line#PublicKey=}
	elif [[ ${PEER_SECTION} -eq 1 && ${line} == Endpoint=* ]]; then
		ENDPOINT=${line#Endpoint=}
	elif [[ ${line} == \[* ]]; then
		if [[ ${PEER_SECTION} -eq 1 && -n ${PUBLIC_KEY} && -n ${ENDPOINT} ]]; then
			PEERS[${PUBLIC_KEY}]=${ENDPOINT}
		fi
		if [[ ${line} == '[WireGuardPeer]' ]]; then
			PEER_SECTION=1
		else
			PEER_SECTION=
		fi
		PUBLIC_KEY= ENDPOINT=
	fi
done <${CONFIG_FILE}
if [[ ${PEER_SECTION} -eq 1 && -n ${PUBLIC_KEY} && -n ${ENDPOINT} ]]; then
	PEERS[${PUBLIC_KEY}]=${ENDPOINT}
fi

wg show "${IFACE}" latest-handshakes | while read -r PUBLIC_KEY TIME; do
	[[ -n ${ENDPOINT} ]] || continue
	((TIME<BASE_TIME)) || continue
	(set +e -x; wg set "${IFACE}" peer "${PUBLIC_KEY}" endpoint "${ENDPOINT}") || :
done

⁄etc⁄systemd⁄system⁄wg-reresolve-dns@.service

[Unit]
Description=Reresolve Wireguard peer address (%i)

[Service]
Type=oneshot
Environment=IFACE=%i
ExecStart=/etc/systemd/scripts/wg-reresolve-dns

⁄etc⁄systemd⁄system⁄wg-reresolve-dns@.timer

Description=Reresolve Wireguard peer address (%i)

[Timer]
OnCalendar=minutely

[Install]
WantedBy=timers.target