diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 22a3d57f17..3e37bd759c 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		1.10
+PLUGIN_VERSION=		1.11
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard-go wireguard-tools
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index 515f17dbf2..643516c387 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -16,6 +16,10 @@ WWW: https://www.wireguard.com/
 Changelog
 ---------
 
+1.11
+
+* Add script for renewal of Wireguard DNS-based entries for stale connections
+
 1.10
 
 * Remove instance limit
diff --git a/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.sh b/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.sh
new file mode 100644
index 0000000000..365344f143
--- /dev/null
+++ b/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.sh
@@ -0,0 +1,49 @@
+#!/usr/local/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+
+set -e
+shopt -s nocasematch
+shopt -s extglob
+export LC_ALL=C
+
+for CONFIG_FILE in /usr/local/etc/wireguard/*.conf
+do
+
+[[ $CONFIG_FILE =~ /?([a-zA-Z0-9_=+.-]{1,15})\.conf$ ]]
+INTERFACE="${BASH_REMATCH[1]}"
+
+process_peer() {
+        [[ $PEER_SECTION -ne 1 || -z $PUBLIC_KEY || -z $ENDPOINT ]] && return 0
+        [[ $(wg show "$INTERFACE" latest-handshakes) =~ ${PUBLIC_KEY//+/\\+}\   ([0-9]+) ]
+] || return 0
+        (( ($EPOCHSECONDS - ${BASH_REMATCH[1]}) > 135 )) || return 0
+        wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"
+        reset_peer_section
+}
+
+reset_peer_section() {
+        PEER_SECTION=0
+        PUBLIC_KEY=""
+        ENDPOINT=""
+}
+
+reset_peer_section
+while read -r line || [[ -n $line ]]; do
+        stripped="${line%%\#*}"
+        key="${stripped%%=*}"; key="${key##*([[:space:]])}"; key="${key%%*([[:space:]])}"
+        value="${stripped#*=}"; value="${value##*([[:space:]])}"; value="${value%%*([[:spa
+ce:]])}"
+        [[ $key == "["* ]] && { process_peer; reset_peer_section; }
+        [[ $key == "[Peer]" ]] && PEER_SECTION=1
+        if [[ $PEER_SECTION -eq 1 ]]; then
+                case "$key" in
+                PublicKey) PUBLIC_KEY="$value"; continue ;;
+                Endpoint) ENDPOINT="$value"; continue ;;
+                esac
+        fi
+done < "$CONFIG_FILE"
+process_peer
+
+done
diff --git a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
index 3257da26d0..84fa90580c 100644
--- a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
+++ b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
@@ -23,6 +23,13 @@ type:script
 message:Restarting WireGuard
 description: Restart WireGuard
 
+[renew]
+command:/usr/local/opnsense/scripts/OPNsense/Wireguard/resolve-dns.sh
+parameters:
+type:script
+message:Renew DNS for Wireguard
+description:Renew DNS for Wireguard on stale connections
+
 [genkey]
 command:/usr/local/opnsense/scripts/OPNsense/Wireguard/genkey.sh
 parameters: %s