Changing WireGuard Endpoint IP in NG Firewall


WireGuard creates tunnel configs using the IP address or hostname currently assigned to its lowest-numbered WAN interface. If your NGFW has multiple WAN interfaces or aliases and you would prefer to use a different address for your remote clients to connect to, you have two options. The most straightforward way is to change the NGFW's use hostname setting, but you can also manually edit the tunnel config on the remote client itself.

Changing Hostname Setting

Go to Config > Network > Hostname and select the last option on the page, Use Manually Specified Address. Fill in the IP/Hostname field with the IP address you would like WireGuard to use as the endpoint. Leave the Port field set to 443 (unless you have changed the NGFW's HTTPS service port).


Next, go to Apps > WireGuard VPN > Status. Turn the app off and back on to force WireGuard to pull the desired address. You can verify that the setting has applied by editing a client config in the Tunnels tab:



Editing Remote Client Config

If the config has already been deployed to the client, you can just edit the configuration in place. This may be simpler than making the above change and redeploying the client config, but it does require you to make the change on each remote client.

On the remote client, open the WireGuard client app and select the tunnel you would like to change. Click the Edit button at the bottom right-hand corner, then locate the entry Endpoint under the section [Peer]. Change that attribute to the appropriate IP or hostname.


Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk