Wireguard port - public wifi

[allebone]

I feel this would be a lot easier to test if you didnt leave your home and just checked it was working from your phone when you turn wifi on and off. Maybe start there as being able to switch back and forth is a lot easier.

[RamSense]

I did a test with shieldsup - https://www.grc.com/shieldsup
And I can see port 53 is not open. I can open other ports like 443. So it definitely looks like the ISP is blocking port 53 before it even hits my router....

[allebone]

That would make it much harder. To test you would need to change the port to something else in your rule without changing anything else and confirm it works and then if this is the case consider another port to use that might bypass. The best is 53 and 443 but if those are out the question you might have success with port 465 as many firewalls allow this port (secure mail for gmail for example).

[MTR]

Not OP, but same problem here. Not a matter of port blocked by ISP. I tried on port 80 which i know isn't blocked but no go. Also tried port 51821 for testing but no luck.

Firewall-> NAT-> Port Forward:
Interface: WAN
TCP/IP: IPV4
Protocol: UDP
Source: any
Destination: WAN address
Destination Port Range: 51821-51821
Redirect Target IP: Single Host or Network: 192.168.1.1 (also tried 127.0.0.1 and Wireguards 10.0.0.1)
Redirect Target Port: 51820

I thought this should be good but it isn't. What am i missing here?

[allebone]

Did you make sure under wireguard - local the port you are redirecting to is what wireguard is running on. Mine works totally fine. Here is a rule example of mine that works:

(My wireguard runs on 443 but I opened port 53 externally as a test.)

[allebone]

My Opnsense IP is 192.168.2.2 in case you wondered.

[MTR]

Did you make sure under wireguard - local the port you are redirecting to is what wireguard is running on.

Yes, Wireguard is running on 51820. Clients connecting to that port directly get a handshake just fine.

So, if your config works, then OP's and mine should work as well yet they don't. There must be something else then; some setting or rule both OP and I have in place which prevents us from port forwarding to services running on the firewall itself. @OP can you confirm NAT port forwarding is working for a different machine in your network? I know this works on my end:

Firewall-> NAT-> Port Forward:
Interface: WAN
TCP/IP: IPV4
Protocol: TCP/UDP
Source: any
Destination: WAN address
Destination Port Range: 51821-51821
Redirect Target IP: Single Host or Network: 192.168.10.10
Redirect Target Port: 8888

When i use a browser and connect to http://my_wan_ip:51821 i now get the web interface for Chronograf running on my Pi3@192.168.10.10:8888.

So NAT port forwarding is working, just not for services on the firewall itself so it seems.


edit: for anyone wondering (i did ;) ), NAT port forwarding does also work for devices in the same VLAN as the firewall, i tried above config but redirecting to 192.168.1.10:80 -which is a switch- and i get the switch's web interface.

[allebone]

Ok I am running wireguard in kernel mode. Not the wireguard go version. What do you have?

[MTR]

Wireguard go. But i don't think that's the issue; I just tried port forwarding for OpenVPN and that doesn't work either.

[RamSense]

That would make it much harder. To test you would need to change the port to something else in your rule without changing anything else and confirm it works and then if this is the case consider another port to use that might bypass. The best is 53 and 443 but if those are out the question you might have success with port 465 as many firewalls allow this port (secure mail for gmail for example).

You're correct. I tried port 465 and did not change anything. Only at the client config I changed listen port 465 and endpoint ip:465

tested it, but I could not load any website...

so I did something wrong with the port forward or the client config? see attachment

[Greelan]

Why not just have WG listen on 465 and forget about port forwarding?

[RamSense]

Why not just have WG listen on 465 and forget about port forwarding?

Greelan, my default working WG is configured with this firewall-rules-wan ->see attached picture.
When I remove this rule, my WG stops working?! Do I understand you correctly that my WG should be working without this rule?

[Greelan]

No, you need a fw rule. But why not a rule to port 465, with WG listening on that port instead of 989?

[RamSense]

Ah ok, well it was for testing if another port is working, while not modifying the WG config. The port 53 seems to being blocked by my ISP

[allebone]

I cant understand why you guys cant get redirecting from a different port to work. On mine it works perfectly fine. I can run wireguard on any port And just redirect a different external port of my choosing. Honestly I dont see how this cant work for you. Its like a basic feature of the firewall to be able to do this. 


Maybe you guys are removing the rule that allows wireguard to listen in the port its configured. Can you rule this out by having 2 nat rules (one original rule to the same wireguard port its listening in and a second nat rule where the redirect is performed). If this scenario works then you guys are deleting the rule to allow wireguard to service requests on the port it is listening on which would break it obviously.