Add an Endpoint

Once you have added an interface to a host, you can add one or more endpoints to the interface. Each endpoint represents an allowed connection through the interface to a remote peer.

What is a WireGuard Endpoint?

The combination of IP address and port (such as 192.0.2.1:51820) to which traffic for a member of a WireGuard network is sent. From the perspective of a host, an endpoint is the remote side of its connection to another member.

See the Terminology page for a fuller explanation.

Add Endpoint Page

Follow these steps to navigate to the Add Endpoint page for an interface:

  1. Click the Hosts link in the app header.

  2. Find the host containing the interface in the list, and click its name to view the host’s main status page.

  3. Find the interface in the Interfaces panel, and click its name to view the interface’s main status page.

  4. Click the “plus” icon on the right side of the Endpoints panel.

Peer

Select the peer identity which can be accessed at this endpoint, either by entering the name of a peer already added to Pro Custodibus in the Peer field, or by adding a new peer by clicking the New button next to the Peer field. This peer represents the public key pair used by a remote host to authenticate itself to this host (and corresponds to the “PublicKey” setting in a wg-quick-style configuration file).

You can type part of a name in the Peer field to filter the displayed list of peers from which to choose. Use the up and down arrow keys to highlight a peer from the list, and use the tab or enter key to select the highlighted peer. Only peers not already used by another endpoint of this interface will be listed.

If you click the New button next to the Peer field, an Add Peer dialog will appear, allowing you to register a new peer identity with Pro Custodibus. You can use then select this peer to use as the remote identity for the endpoint.

Hostname

Optionally enter the remote hostname or IP address to which this interface should connect, like “vpn.example.com” or “192.0.2.1”, in the Hostname field (this corresponds to the hostname portion of the “Endpoint” setting in a wg-quick-style configuration file).

You only need to set the hostname on one side of a WireGuard connection — either on the endpoint from this host to the remote host, or the corresponding endpoint from the remote host to this host. If the remote host has a static DNS name or IP address, enter it here.

Port

If you entered a hostname or IP address in the Hostname field, enter the destination UDP port on that remote host, like “51820”, in the Port field (this corresponds to the port portion of the “Endpoint” setting in a wg-quick-style configuration file). Otherwise leave this field blank.

Persistent Keepalive

Optionally enter the number of seconds between keepalive packets to send to the endpoint, like “25”, in the Persistent Keepalive field. Leave blank to not send keepalive packets.

If there is a stateful firewall that doesn’t allow new inbound connections to this host (such as a firewall doing NAT, Network Address Translation) sitting between this host and the remote endpoint, and you want to allow the remote endpoint to initiate new inbound connections to this host (for example, to SSH from the remote endpoint into the host), you will need Persistent Keepalive. A value of “25” (seconds) usually works well for this purpose.

Preshared Key

Optionally enter a randomly-generated, base64-encoded 256-bit key, like “/UwcSPg38hW/D9Y3tcS1FOV0K1wuURMbS0sesJEP5ak=”, in the Preshared Key field. Leave blank to not use a preshared key for this endpoint.

While there are no known practical issues with WireGuard’s cryptography, preshared keys can be used to hedge against potential future issues, such as the ability of quantum computers to break elliptic-curve cryptography. Additionally, preshared keys can mitigate some of WireGuard’s key rotation and management complexities; for example, you may find it easier to frequently rotate preshared keys (which are simply shared secrets between two endpoints) rather than the public key pairs (which are used to identify peers globally).

The preshared key value configured for this endpoint must match exactly the preshared key value for the corresponding endpoint on the remote host.

If the remote host is also monitored by Pro Custodibus, and you have already set up a corresponding endpoint on the remote host with a preshared key, and that key is stored by Pro Custodibus, Pro Custodibus will automatically use that key for this endpoint too (so you will not have to enter it here). If the corresponding endpoint is configured with a preshared key, but that key is not stored by Pro Custodibus, the UI will display the SHA-256 hash for the key, so you can verify that you’ve entered the same key in this endpoint’s Preshared Key field.

If you’ve not set up the corresponding endpoint on the remote host yet, you can generate a new preshared key by clicking the Generate button next to the Preshared Key field.

Allowed IPs

Enter the individual IP addresses or CIDR blocks that this interface can access through the endpoint, like “10.0.0.0/24, fc00::/56”, in the Allowed IPs field. Separate multiple addresses or blocks with commas, newlines, or other whitespace.

Form Submit

Click the Add button to submit the form and queue the creation of the endpoint.

The next time the Pro Custodibus agent on the host pings the Pro Custodibus servers, the agent will receive the information about the new endpoint, and add it on the host.