Defaults for Remote Endpoints
When adding an endpoint to an interface, and when using the Connection Wizard, Pro Custodibus will automatically populate the default settings for an endpoint based on the settings of the last-modified endpoint that uses the same peer identity. But instead of this last-modified heuristic, you can configure explicit defaults.
For example, say you are setting up a point-to-site network with a WireGuard “site” host, Host B in Site B, which has a WireGuard interface that uses a peer identity Peer B; and you want other remote hosts to all use some standard settings in their WireGuard connection to Host B, like the following:
-
Connect to Host B using the public address
host-b.example.com:51820 -
Route Site B
192.168.200.0/24traffic through Host B -
Select their own WireGuard interface address from within the private
10.0.0.0/24network -
Use a private
192.168.200.53DNS server for DNS
To configure these defaults, you’d navigate in the app UI to the interface of Host B that uses Peer B as its peer identity, and configure its defaults like the following:
-
Defaults for Remote Endpoints:
-
Allowed IPs:
10.0.0.0/24, 192.168.200.0/24 -
Hostname:
host-b.example.com -
Port:
51820
-
-
Defaults for Interfaces of Remote Endpoints:
-
Network Addreses:
10.0.0.0/24 -
DNS Servers:
192.168.200.53
-
The Defaults for Remote Endpoints settings specify the default settings for remote endpoints of Peer B (endpoints that use Peer B as their peer identity); and the Defaults for Interfaces of Remote Endpoints specify the default settings for interfaces of remote endpoints of Peer B (interfaces with an endpoint that uses Peer B as its peer identity — the other side of a connection from Host B).
If you use the Connection Wizard to add a new connection from Host B to a new host, Host A, Pro Custodibus will populate the default settings for the endpoint on the Host A side of the connection using Host B's Defaults for Remote Endpoints; and, if creating a new interface on Host A, populate the default settings for the new interface on the Host A side of the connection using Host B's Defaults for Interfaces of Remote Endpoints.
In other words, the defaults for Host B do not apply directly to Host B — rather, they apply to remote connections from other hosts to Host B.
Defaults for Remote Endpoints
Follow these steps to set the defaults for new endpoints of an interface:
-
Click the Hosts link in the app header.
-
Find the host containing the interface in the list, and click its name to view the host’s main status page.
-
Find the interface in the Interfaces panel, and click its name to view the interface’s main status page.
-
Click the “pencil-document” icon on the right side of the Endpoints panel.
-
Click the “pencil” icon on the right side of the Defaults for Remote Endpoints panel.
-
Configure the following fields.
Type
Select the default connection type for the Add Endpoint Wizard’s Type field (from the perspective of the remote endpoint).
For example, if you select Point-to-Site, Remote as Point, then when you start the Add Endpoint Wizard from this interface, the wizard’s default Type value will be Point-to-Site, Local as Site (this local interface will be the “site”, and the new remote endpoint will be the “point”).
Allowed IPs
Enter the default IP addresses or CIDR blocks in the Allowed IPs field that remote endpoints should route to this interface. Separate multiple addresses or blocks with commas, newlines, or other whitespace.
For example, if you enter “10.0.0.0/24, 192.168.200.0/24” in the Allowed IPs field, the default for remote endpoints will be to route their traffic to the 10.0.0.0/24 and 192.168.200.0/24 networks through WireGuard to this interface.
Hostname
Enter the public hostname or IP address which remote endpoints should use to connect to this interface, like “vpn.example.com” or “192.0.2.1”, in the Hostname field.
|
You only need to set the hostname on one side of a WireGuard connection. If the interface’s host has a static DNS name or IP address, enter it here; otherwise leave it blank. |
Port
If you entered a hostname or IP address in the Hostname field, enter the public UDP port which remote endpoints should use to connect to this interface, like “51820”, in the Port field. Otherwise leave this field blank.
|
This almost always should be the same value as the interface’s own WireGuard listen port. The only exception is when you’ve set up DNAT in front of the host to translate its public WireGuard UDP port to a different port on the host; in that case, enter the public port here. |
Persistent Keepalive
Enter the default number of seconds between keepalive packets that endpoints should send to this interface, like “25”, in the Persistent Keepalive field. Leave blank to not send keepalive packets.
Preshared Key
Check the Generate checkbox in the Preshared Key field if you want the Connection Wizard to automatically generate preshared keys for new connections. Uncheck to not use preshared keys.
Defaults for Interfaces of Remote Endpoints
Follow these steps to set the defaults for new remote interfaces created when creating new endpoints of an interface:
-
Click the Hosts link in the app header.
-
Find the host containing the interface in the list, and click its name to view the host’s main status page.
-
Find the interface in the Interfaces panel, and click its name to view the interface’s main status page.
-
Click the “pencil-document” icon on the right side of the Endpoints panel.
-
Click the “pencil” icon on the right side of the Defaults for Interfaces of Remote Endpoints panel.
-
Configure the following fields.
Network Addresses
Enter the default address blocks to use for the Add Endpoint Wizard’s Network Addresses field, like “10.0.0.0/24, fd00::/64”. Separate multiple addresses with commas, newlines, or other whitespace. If the remote endpoint will be part of a new interface, the wizard will select an available address for the interface from each block on the wizard’s Tunnel step.
DNS Servers
Enter the IP addresses of the default DNS servers for new interfaces, like “10.0.0.53, fd00::53”, in the DNS Servers field. Separate multiple addresses with commas, newlines, or other whitespace.
| Usually you’d use this setting only if you have a private DNS server that is accessible only through this WireGuard interface. |
Search Domains
Enter the default DNS search domains to use for new interfaces, like “wg.lan, corp”, in the Search Domains field. Separate multiple addresses with commas, newlines, or other whitespace.
| Usually you’d use this setting only in conjunction with the DNS Servers setting above for a private DNS server with a private domain name that is accessible only through this WireGuard interface. |
MTU
Enter the MTU value to use for new interfaces, like “1380”, in the MTU field.
| Usually you should omit this setting, and let WireGuard determine the best MTU to advertise automatically. |
Firewall Zone
Select the firewall zone to apply to new interfaces, from the options in the Firewall Zone field.
| This setting is used only on Linux (with firewalld) and on Windows, and only if the host is running the Pro Custodibus agent 1.6.0 or newer. |
Forwarding
Select a default packet forwarding policy to apply to new interfaces, from the options in the Forwarding field.
| Usually you’d leave this blank. |
Masquerading
Select a default packet masquerading policy to apply to new interfaces, from the options in the Masquerading field.
| Usually you’d leave this blank. |
MSS Clamping
Set the default MSS clamping policy to apply to new interfaces by checking or unchecking the Clamp outbound to WireGuard network checkbox.
| Usually you’d leave this unchecked. |
Pre Up Script
Enter pre-up script commands to apply to new interfaces in the Pre Up Script field.
| Usually you’d leave this blank. |
Post Up Script
Enter post-up script commands to apply to new interfaces in the Pre Up Script field.
| Usually you’d leave this blank. |
Pre Down Script
Enter pre-down script commands to apply to new interfaces in the Pre Up Script field.
| Usually you’d leave this blank. |