OpenWRT behind the ISP Router: working WITHOUT port forwarding... dangerous?

Hello! I use EdgeRouterX as OpenWRT router, and it used to be behind Fritzbox 7530ax. I had the right port forwarding set on 7530, necessary for wireguard to work. Now, we just got fiber optic, so I got Fritzbox 5530 fiber. But stupidly, I managed to activate the connection over fiber optic before transferring the config from 7530 to 5530. So right now I just let ERX behind 5530. I was going to set up the right port forwarding on 5530, then realized that wireguard is already working without any port being forwarded. I have a site-to-site wireguard, in order to reach to the router etc of the other site, and I do have access to them, even though I haven't done anything on FB5530.
Does that mean that everything is open? Isn't it dangerous? How can I check what's going on?

I would appreciate your advice!

You need to open port only if you intend to receive incoming fresh wg connections. eg the other site reboots. upnp and co can do it.

Probably you made the connection from this router to the other side, just like a simple WG client in that case you do not need to open a port.
Dangerous that is not

Thank you for your replies!

No, it was site-to-site, and I checked both direction. But what @brada4 says makes sense: once the existing session ends somehow, it's probably not going to connect again, unless I open the ports. I'm going to do it!

A site-to-site setup usually can connect from either side as you set endpoints on both sites.
It is not obligatory for a site-to-site setup to have endpoints set at both sides, you can have a site-to-site setup even when one side is behind CGNAT.
site-to-site, in my book, is just a setup which supports bi-directional traffic between routers.

Using endpoints on both sides will get you some redundancy though :slight_smile:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.