Wireguard port - public wifi

Started by RamSense, September 18, 2021, 11:49:42 AM

Previous topic - Next topic
Print
Go Down Pages1 2 3
User actions
September 18, 2021, 11:49:42 AM Last Edit: September 18, 2021, 11:51:35 AM by RamSense
who has experience in using Wireguard at public wifi spots like mc Donalds / schools etc?
I want my kids to being able to secure their iPhone wifi connection at public wifi networks without that public wifi point blocking Wireguard as it is now at mc Donalds and their school.
What is the best port or method to use to prevent their vpn being blocked?
Deciso DEC850v2
September 18, 2021, 01:28:00 PM #1
I use port 443 udp and not had an issue but you can also try port 53 udp.
September 18, 2021, 02:02:04 PM #2
thank you allebone for your suggestions. I have only in my opnsense port 53 forwarded to adguard home (plugin) and port 443 to nginx proxy for local website. So I think I can not use those ports with adguard and nginx (?).
Do you have any other suggestions? Or do you think your mentioned ports work with my opnsense settings mentioned above?
Deciso DEC850v2
September 19, 2021, 03:13:28 AM #3
You have port 53 open to the whole internet?? I would recommend you dont do that. Perhaps you can explain your setup.
September 19, 2021, 01:23:52 PM #4
No only internally see the attached picture.
Setup is simple. ISP - opnsense (with adguard home plugin) - wifi router -> wired connected nas/website

Deciso DEC850v2
September 19, 2021, 07:09:29 PM #5
Ok thats fine. If you dont forward on your wan (pic shows lan interface) port 53 then you can do a nat rule on port 53 and redirect to a different internal port that wireguard runs on. So rule is interface wan, ipv4, udp, destination - 53,  redirect to target port 51820 (or whatever you set wg port to be).

That way witeguard tuns on a different port internally but externally, someone contacting your wan address on port 53 udp is redirected internally to the wg port.

That should bypass most airports etc with restrictions.

P
September 19, 2021, 07:15:54 PM #6
ah that sounds great indeed!

But you stated also
QuoteYou have port 53 open to the whole internet?? I would recommend you dont do that. Perhaps you can explain your setup.

Is this method safe than?

And do I make this rule in Firewall: NAT: Port Forward: interface wan, ipv4, udp, destination - 53,  redirect to target port 51820 (or whatever you set wg port to be).

or
Firewall: Rules: WAN: interface wan, ipv4, udp, destination - 53,  redirect to target port 51820 (or whatever you set wg port to be).

I think the last one? Firewall: rule: wan?

Deciso DEC850v2
September 19, 2021, 07:19:08 PM #7 Last Edit: September 19, 2021, 07:20:50 PM by allebone
Yes it is safe because you are not exposing dns to the internet. Wireguard is designed to be exposed to the internet. The port is not relevant. My question was, did you expose adguard to the internet on port 53 (that is unsafe).

You should create a nat rule. firewall - NAT. The appropriate rule will be created automatically when you make the NAT rule. You can see it and check its correct in firewall, wan, rules afterwards. Making the NAT rule will make the second rule for you.

P
September 19, 2021, 07:25:32 PM #8
ah yeah, now I follow you.
I have port 53 not exposed to the internet. so only LAN like you stated.

I will try your setting and indeed port 53 and than forward on opnsense to the WireGuard port and test it on public wifi.

sounds like a great solution indeed. 
thanks!
Deciso DEC850v2
September 19, 2021, 07:47:06 PM #9
Let me know how it goes and I can help further if need be.
September 20, 2021, 06:15:21 PM #10 Last Edit: September 20, 2021, 06:18:55 PM by RamSense
this did not work.
vpn connects, but no browsing/data
in the client config I put also port 53
put when I put my destination port in, it also connects and works. strange(?)

What have I done wrong?
Deciso DEC850v2
September 20, 2021, 07:35:27 PM #11
I tested on my firewall and it works perfectly so you will have to check your rules etc. You should do basic troubleshooting steps like checking the opnsense server sees a handshake, if you can ping (rule out a dns issue etc) and wotnot and report back with any interesting findings. Mine was running in port 443 and I just opened port 53 to redirect to 443 in addition and it worked without changing anything further so must be something your side that could be stopping it.
September 20, 2021, 08:20:15 PM #12 Last Edit: September 20, 2021, 09:16:18 PM by RamSense
Ok, so my port forward rule screen capture was correct (?)
I will check what I can find.
Thanks
Deciso DEC850v2
September 20, 2021, 09:17:51 PM #13
Assuming your FW is 192.168.1.1 and WG runs on port 989 UDP then it looks correct to me.
September 20, 2021, 09:28:54 PM #14
Can it be that my ISP is blocking incoming port 53 wan?
Is there a way to check this? I tried also to use a port below 1000 to see if that is any useful on public wifi, did not test it yet though.

Deciso DEC850v2
Print
Go Up Pages1 2 3
User actions