you can enable wireguard on a port that
appears to be closed for any port scans but allows the client to connect.
I would like to make for example that the port by performing a port scan results in this state:
I don't understand your inquiry as Wireguard does not provide a response on a listening port unless you have the correct key/IP pairs. So the state that you wish to change is indicative of all UDP ports that are closed/not listened to.
You would have to BLOCK all traffic to 51820/udp...which means you also block valid Wireguard endpoint traffic.
I'm currently testing inside a vlan where inbound traffic is reject.
of course I have to pre-force open the udp port where wireguard is listening,
i would like to know if in the future i should open a wan side udp port to allow access with wireguard if it is possible
leave the ability to access a client with the correct correct key / IP pairs but if someone interrogated the udp port the firewall could send the host a reject-with icmp-port-unreachable.
I thought you set an iptables rule that duplicates the input package for the UDP port and simultaneously responds with a reject-with ICMP Port Unreachable and in any case forward traffic to the correct door where Wireguard is listening.
In such a way that any access attempts towards that port are rejected, but the clients in possession of the correct configuration can log in.
I know that wireguard automatically does not send traffic if there is no proper handshake.
I apologize if the questions I am doing seem stupid, partly depends on the automatic translator
As both @lleachii and @krazeh have already said, WG is secure already, and your desire to further secure it is both pointless and counterproductive.
I'll repeat what has already been said, but maybe slightly differently.
UDP, by nature and design, does not require any ack packets -- this is a key difference from TCP.
Wireguard itself is not 'chatty' -- it does not send any reply at all if the remote peer does not have proper cryptographic keys.
Because Wireguard uses UDP, a remote system that sends a packet will not get any response whatsoever if the remote peer isn't valid per above.
A port scan on a port that is using Wireguard (in any normal installation) will result in what is sometimes called a 'stealth' result, which is to say that it doesn't respond. There is no indication that there is anything on the other end. (Port scans can report ports as open, closed/rejected, or stealth/no-response).
If you think about this 'stealth' result vs one that actively sends a 'reject' response, the more secure is the no-answer situation because it reveals nothing at all. You can compare it to answering the phone and saying "go away" vs not answering at all... if you answer, the caller knows that you're there, but if you don't answer at all, they have no idea if your number works at all.