Implement state-machine based WireGuard dynamic port rebinding with handshake-guided bootstrap and automatic fallback
Rewrite wireguard-periodic-rebind-port.sh with a two-phase state machine
(startup/active) that minimizes initial port exposure time from 1-32 hours
to ~20 seconds. In startup phase, the interface listens on the initial
bind port and polls for handshake; once detected, it immediately rebinds
to a random port via SSH coordination. If handshake is lost for over 300
seconds, automatically reverts to the initial port and original endpoint
to re-establish connectivity.
Also add #RNCN#InitialBindPort metadata to generated WireGuard configs
and improve the systemd service unit with Restart=on-failure and
RuntimeDirectory for state tracking.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2 files changed