Is it sane to use a redirect to allow easy testing of multiple wireguard ports?

darksky · December 16, 2023, 3:46pm

I have a wireguard interface running on the default udp/51820. I want to test other incoming ports and am wondering if using a redirect + opening the target ports is a good strategy to do it? I don't want to create multiple wireguard interfaces for testing purposes.

I am thinking something like:

config redirect
  option dest 'wg0'
  option target 'DNAT'
  option name 'test forward'
  list proto 'udp'
  option src 'wan'
  option src_dport '123'
  option dest_port '51820'

And

config rule 'wg'
  option name 'allow-wireguard'
  option proto 'udp'
  option target 'ACCEPT'
  option src 'wan'
  option dest_port '123 51820'
  option family 'ipv4'

egc · December 16, 2023, 3:51pm

The redirect rule already has an ACCEPT rule incorporated so you do not need the second rule.

But why do you want to do that?

You can run multiple WG servers but why? and if you want to do it let them use their own port.

If you are talking about a WG client then do not specify a port and it will use a random port.

darksky · December 16, 2023, 3:53pm

Some public wifi networks block wireguard connections so I want to try some non-standard ports to hit my Openwrt device when away from home. I know 51820 is not viable.

egc · December 16, 2023, 3:56pm

Then just use another port on the WG server you can use any port you want (as long as it is not in use)

I use 51999

Edit: you can even use 443 (unless it is already used)

darksky · December 16, 2023, 4:09pm

I would like to setup 10-12 ports for testing and then once I am away from home connected to that remote WiFi network, systematically try connecting to them one-at-time by editing the wireguard profile on the iOS device. Hence my idea to setup the redirects before I leave home. Am I not understanding something?

For the record, the wireguard section of /etc/config/network:

config interface 'wg0'
  option proto 'wireguard'
  option listen_port '51820'
  list addresses '10.200.200.200/24'
  option private_key 'xxx'
  option delegate '0'

config wireguard_wg0
  option description 'me'
  list allowed_ips '10.200.200.201/32'
  option route_allowed_ips '1'
  option public_key 'xxx'
  option preshared_key 'xxx'

And the corresponding firewall rule:

config rule 'wg'
  option name 'allow-wireguard'
  option proto 'udp'
  option target 'ACCEPT'
  option src 'wan'
  option dest_port '51820'
  option family 'ipv4'

That all works fine for port 51820. I want to try other ports including 53, 123, 443, etc. Thanks!

egc · December 16, 2023, 4:29pm

Sure you can do that with the redirect rules, but easier to just use 443 on the server, chances are that is not blocked

But if you want it certainly is possible

Edit something like this would work (192.168.9.1 is the routers IP) just try it out:

config redirect
	option target 'DNAT'
	option name 'wg_443'
	option family 'ipv4'
	list proto 'udp'
	option src 'wan'
	option src_dport '443'
	option dest_port '51820'
	option dest_ip '192.168.9.1'

darksky · December 16, 2023, 4:57pm

The reason I want to try it this way is because I want to test multiple ports without traveling back-and-forth since my remote device is just a simple iPhone.

My plan is to set up all the redirects corresponding to each of the ports I wish to try. Hope that makes sense.

lleachii · December 16, 2023, 6:30pm

Yes, I've done what you wish to temporally change the port, e.g. to use 123/udp or something, etc.:

config redirect                       
        option target 'DNAT'            
        list proto 'udp'                
        option src 'wan'                
        option src_dport '123'        
        option dest_ip '192.168.1.1' 
        option dest_port '51820'     
        option name 'wg_redirect_port123udp'
        option dest 'lan'

Yes, it also helps if one location block a port, etc. - and as you said, you can test another port without altering the WG interface itself.

_bernd · December 16, 2023, 11:07pm

Not in relation to the specific issue in this thread, but:
If you want to create a site-to-site VPN, for instance, with a (multiple) hub-and-spoke or other partially or fully meshed topology, and you have many connections from and to each router, and you want to use a dynamic routing protocol within the VPN without loosing your sanity, then you want to have many many point-to-point interfaces.

(Yes you can use a single wg-interface on a single hub-and-spoke, and configure i.e. OSPF with Point-to-Multipoint. But as soon as you want to have redundant connections to multiple hubs or maybe even interconnects (partial mesh) you will want to have dedicated point-to-point links/interfaces because otherwise you are unable to assign different costs to your interfaces, like which link is preferred if multiple routers offer the same reachability to a network.)