UDP connection and stateful firewall configuration

I want to connect two peers via Wireguard. Both LANs are NATted behind two OpenWrt routers. The two Wireguard peers are not the routers, but hosts inside their respective LAN.

My Wireguard is perfectly working. The problem is, I have to create a port forward entry in client's router. Isn't stateful firewall's job to allow the client to reach the server without any port forward rule, since the client started the communication? Instead, I'm fine with creating a rule in server's router.

Now you may be wondering why I care so much about a single configuration entry, but my motto is "less is more", so I'd like to avoid that single entry. Plus, there's something here I'm not understanding so I want to see clear into it.

Except that UDP is a stateless protocol…

Yes, you do need to create the required forwardings - you effectively have servers on both ends of the connection (wireguard does not do hole punching for you).

2 Likes

As @slh said, UDP is a stateless protocol.

However, in my experience, if you have a 'server' and 'client' configuration (where the 'client' is the one that actively establishes the connection and the 'server' only listens), you do not need to setup any port forwarding entires in the 'client' side router.

For example, I have WG configured as a 'client' on my desktop computer and it connects back to a 'server' at another location. There are no port forwards defined for my desktop.

Post your 'client' side config and we can review.

First of all, thanks to both of you for your help.

Except that UDP is a stateless protocol…

Yes I am aware of that, yet I've read there's the PersistentKeepalive setting so that stateful firewalls won't drop the connection, thus implying they can sort of track UDP "connections"... I'm confused, no lies.

Post your 'client' side config and we can review.

I'll post both! They're stupidly simple.

Server:

Address = 192.168.2.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = [redacted]

[Peer]
PublicKey = [redacted]
AllowedIPs = 192.168.2.2/32
Endpoint = [automatically added by wg-quick]

Client:

[Interface]
Address = 192.168.2.2
PrivateKey = [redacted]

[Peer]
PublicKey = [redacted]
Endpoint = [redacted]:51820
AllowedIPs = 192.168.2.0/24
PersistentKeepalive = 25 
  • Consider decreasing
  • place the keep-alive config on the remote end (i.e. the server) - as this is the device that needs to get thru the firewall :wink:

No, doesn't work. There's no handshaking when moving the keepalive from client to server.

What about if you remove this. In my configurations, I do not have an endpoint defined on the "server" side. The "client" is the one that sets up the connection.

So many "client" and "server" in this thread, so funny :joy: :joy:
Even if you use the "" doesnt make them client and server anyway lmao.
Wireguard is just peers, the only thing that would make a difference, is that usually the "client" is under nat, and thats where you put the keepalive 25 option.

Yep that is the problem, you dont create a port forward but a traffic rule.
Also you dont need to use persistent keep alive on both ends, 1 end behind nat is enough.
You are welcome. :sunglasses:

If I remove it, it gets added back the moment I use wg-quick again. How do you active/deactivate a Wireguard device?

I don't use wg-quick, so I don't know. I use the standard wireguard app on my Macs, Chrome (Android), and iOS devices. And on my OpenWrt routers, I also don't have to worry about wg-quick doing stuff.

Can you explain your reasoning?

This would indeed require a port forward for the device having the static IP/DDNS/inbound port connection (i.e. what the OP calls the "server"). The OP would open 51820/udp to the IP of the machine running Wireguard.

If the OP has firewall issues on both ends, then keepalive should be ran on both.

:smile: LOL, I get @Stiel's comment about client/servers talk now....to be clear, you should only need a port forward on the device listening at 51820/udp....

In fact, since you don't specify a listen port on the other end, I'm not sure how you made a rule for its firewall anyway. :man_shrugging:

I use the terms, in quotes, to differentiate between the usage model of each of the peers. I am well aware that Wireguard doesn't distinguish between server and client modes -- peers are peers.

However, at a human scale, it can be useful. For example, the VPN endpoint/peer in my home is a server insofar as it is listening for incoming connections (and my connection has a true public IP, no CGNAT issues), and my mobile devices (which act as clients) can initiate the connection back to my home at any time from anywhere. The reverse is not true -- my mobile devices cannot operate in this "server" model and thus my home connection cannot initiate a connection to the mobile.

While this may seem obvious, having an explicit understanding the operating mode is necessary to get things working properly (for example, a port forward or open port is required to enable "server" mode, but not necessary for "client" mode; similarly, the listen port is required on the "server" side but not on the "client").

I both love and hate the fact that WG just treats all devices as peers. It massively simplifies configuration when it comes to key exchanges and the like being the same regardless of the mode of operation, but not having a traditional server/client relationship does make the description and troubleshooting for a configuration on a forum like this a bit more difficult.

yep, i went crazy when i first started whit Wireguard.
Its hard at first because you are used to openvpn, and anyway server/client mind we have, from most common things we use.
Anyway, to start off, i don't even know what device the OP maker wants to connect.
Are they routers?
Linuc pc, windows pc, servers? VPS?
Hard to help, whitout knowing what are we talking about.
From what i heard, i guess we are not talking about 2 openwrt routers, because if the peers are 2 routers, its really easy.
Also, about the keepalive question, wireguard Community says it sucks to use,because it make the vpn less safe but, again,
Unless you have an old build, you have to use it only on 1 peer.
And the reason behind this is really easy.
All it does is just send an hanshake let's say, every time based on how much you set the value, to keep the nat alive infact.
Understanding this, you already know it's useless that both send it, since as long 1 of the peers send it, that's it.
it works even without it, but based on what type of nat you have, it is safe to have 1 peer send the handshake once a while, to avoid breaking the connection.

This is not the point of this thread, but by not specifying a port you let Wireguard choose one randomly. Once you have that port, You create a temporary port forward rule.

Is it important? I posted my configuration files and told you both PEERS are behind a NAT maintained by two different OpenWrt routers. This is written right in my first post.

  • My point was: You shouldn't need one.
  • Also, you can specify the port there too - but I didn't mention that because you shouldn't need to :wink:

It's not...but check your PC's firewall too! :smiley: