Hello, just a question. I have a traffic rule in openwrt that routes traffic to my wireguard interface. All is working great. I'm not very familiar with wireguard, but shouldn't wireguard not expose that port is open considering its UDP? I use https://www.ipvoid.com/udp-port-scan/ for tests, and target my external ip and traffic rule port. Is that expected use, or should it be closed? This is website result:
Port Type Status Service
<PORT> UDP Open|filtered unknown
If it's not open, how are you going to connect to it ?
Wireguard discards out of stream packets.
Try this scanner instead.
Ah I got it I did read up little bit and apparently how it works is, the open|filtered status appears even when packets are dropped by wireguard. So in my case is that my default router settings were to rejects any packets on WAN from input, hence I was getting closed for any other port, but wireguard it was open|filtered. this means that you could easily guess that there is something going on on that port, even if it's not explicitly saying "It's me wireguard!".
What I did is to drop all packets by default on my router settings, now the open|filtered status appears for any port you try to connect to, which means you cannot distinguish if there is something open on one of the ports 
The recommended firewall config on the WAN is to REJECT device input and forward. If you're messing with the firewall configuration, you may end up making your config less secure.
Would you like us to review?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Sure, here is my config
ubus call system board
{
"kernel": "5.15.162",
"hostname": "OpenWrt",
"system": "Intel(R) Celeron(R) J6412 @ 2.00GHz",
"model": "Protectli VP2420",
"board_name": "protectli-vp2420",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "x86/64",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}
cat /etc/config/network (I thought I removed keep alive but its still here, not needed I think as not behind NAT on my mobile)
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd75:2ef3:940b::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
list dns '127.0.0.1'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option delegate '0'
option peerdns '0'
list dns '127.0.0.1'
config interface 'Fibre_Wifi'
option proto 'static'
option device 'radio0.network1'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
config device
option name 'eth0'
option ipv6 '0'
config device
option name 'eth1'
option ipv6 '0'
config device
option name 'eth2'
option ipv6 '0'
config device
option name 'eth3'
option ipv6 '0'
config device
option name 'phy0-ap0'
option ipv6 '0'
config interface 'wg0'
option proto 'wireguard'
option private_key '<hidden>'
option listen_port '<hidden>'
list addresses '10.8.0.1/24'
list dns '127.0.0.1'
config wireguard_wg0
option description 'device1'
option public_key '<hidden>'
option preshared_key '<hidden>'
option route_allowed_ips '1'
list allowed_ips '10.8.0.2/32'
option persistent_keepalive '25'
config wireguard_wg0
option description 'device2'
option public_key '<hidden>'
option preshared_key '<hidden>'
list allowed_ips '10.8.0.3/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:1c.6/0000:05:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan Fibre_Wifi'
option mode 'ap'
option ssid 'Fibre'
option encryption 'psk2'
option key '<hidden>'
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
option port '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
list dhcp_option '6,192.168.1.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '1'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/lib/unbound/odhcpd.sh'
option loglevel '4'
config dhcp 'Fibre_Wifi'
option interface 'Fibre_Wifi'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6,192.168.1.1'
config host
option name 'raspberrypi'
option ip '192.168.1.176'
option mac '<hidden>'
config host
option ip '192.168.1.166'
option mac '<hidden>'
config host
option name 'DietPi'
option ip '192.168.1.125'
option mac '<hidden>'
config host
option name 'MacLaptop'
option ip '192.168.1.114'
option mac '<hidden>'
cat /etc/config/firewall (Block_LAN_Untrusted_Devices - currently misconfigured something, it doesn't block my laptop from accessing other devices on LAN )
config defaults
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option mtu_fix '1'
option masq '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'WG_TR'
list proto 'udp'
option src 'wan'
option dest_port '<hidden>'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Block_LAN_Untrusted_Devices'
list src_ip '192.168.1.114'
option dest 'lan'
option target 'REJECT'
option src 'WiFi_FW'
list dest_ip '192.168.1.1'
list dest_ip '192.168.1.125'
list proto 'all'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'WiFi_FW'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option family 'ipv4'
list network 'Fibre_Wifi'
config zone
option name 'WG_FW'
option input 'ACCEPT'
option output 'DROP'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wg0'
option family 'ipv4'
option log '1'
option log_limit '100/minute'
config forwarding
option src 'WG_FW'
option dest 'lan'
config forwarding
option src 'WG_FW'
option dest 'wan'
overall, how does it look? In my opinion its seems OK? 
Firewall is OK, all ports more or less should be open/filtered due to default drop action on wan interface input. UDP can receive either ICMP unreachable or protocol response (very unlikely) or nothing if filtered, so there is no way to tell apart filtered from open ports that do not respond random messages.