Basy4u
January 21, 2025, 5:21am
1
Hi, I am trying to setup Wireguard to be used on some additional non-default ports like 53, 54, 443, etc., to be used with WG client (iPhone) over restricted wifi networks.
Appreciate any help on this.
Let’s take a look at the config.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
1 Like
I know this is not what you asked about, bit for restricted networks OpenVPN works better. It can (to a certain extent) disguise as HTTPS traffic and deceive (some) proxies.
Basy4u
January 21, 2025, 1:56pm
4
Thanks for the revert. Please find the configuration as requested.
root@routerAdoh:~# ubus call system board
{
"kernel": "5.15.162",
"hostname": "routerAdoh",
"system": "ARMv8 Processor rev 4",
"model": "ASUS TUF-AX4200",
"board_name": "asus,tuf-ax4200",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "mediatek/filogic",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}
root@routerAdoh:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '##redacted##'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option ipv6 '0'
config device
option name 'lan1'
option macaddr '##redacted##'
config device
option name 'lan2'
option macaddr '##redacted##'
config device
option name 'lan3'
option macaddr '##redacted##'
config device
option name 'lan4'
option macaddr '##redacted##'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.111.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '212.77.192.60'
list dns '8.8.8.8'
option delegate '0'
config device
option name 'eth1'
option macaddr '##redacted##'
config interface 'wan'
option device 'eth1'
option proto 'static'
option ipaddr '192.168.100.3'
option netmask '255.255.255.0'
option gateway '192.168.100.1'
list dns '212.77.192.60'
list dns '8.8.8.8'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
config interface 'wg0'
option proto 'wireguard'
option private_key '##redacted##'
option listen_port '51790'
list addresses '10.0.0.1/32'
config wireguard_wg0
option description 'Basy-i12P'
option public_key '##redacted##'
option preshared_key '##redacted##'
list allowed_ips '10.0.0.2/32'
option route_allowed_ips '1'
option persistent_keepalive '0'
config wireguard_wg0
option description 'QE-LPTP2'
option public_key '##redacted##'
option private_key '##redacted##'
list allowed_ips '10.0.0.3/32'
option persistent_keepalive '0'
option route_allowed_ips '1'
config wireguard_wg0
option description 'routerBccj'
option public_key '##redacted##'
option persistent_keepalive '0'
list allowed_ips '10.0.0.0/24'
list allowed_ips '192.168.222.0/24'
list allowed_ips '192.168.1.1/32'
list allowed_ips '0.0.0.0/0'
root@routerAdoh:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option log '1'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option log '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-Multicast-WAN'
option family 'ipv4'
list proto 'udp'
option src 'wan'
list dest_ip '224.0.0.0/4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-WireGuard-Inbound'
list proto 'udp'
option src '*'
option dest_port '51790'
option target 'ACCEPT'
config rule
option name 'Wg-Allow-LAN-Forward'
list proto 'all'
option src '*'
option dest 'vpn'
option target 'ACCEPT'
config rule
option name 'Allow-LuCI-on-WAN'
list proto 'tcp'
option src 'wan'
option dest_port '443'
option target 'ACCEPT'
config rule
option name 'Allow-SSH-on-WAN'
list proto 'tcp'
option src 'wan'
option dest_port '22'
option target 'ACCEPT'
config rule
option name 'ALWAYS-ALLOW-SELECT'
option src 'lan'
option dest 'wan'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
list proto 'icmp'
list proto 'igmp'
list proto 'esp'
list src_mac '##redacted##'
list src_mac '##redacted##'
list src_mac '##redacted##'
list src_mac '##redacted##'
list src_mac '##redacted##'
list src_mac '##redacted##'
list src_mac '##redacted##'
list src_mac '##redacted##'
list src_mac '##redacted##'
config rule
option name 'Block-Select-Schedule-S1'
option src 'lan'
list src_mac '##redacted##'
list src_mac '##redacted##'
option dest 'wan'
option target 'REJECT'
option weekdays 'Sun Mon Tue Wed Thu Sat'
option start_time '08:30:00'
option stop_time '10:00:00'
config rule
option name 'Block-Select-Schedule-S2'
option src 'lan'
list src_mac '##redacted##'
list src_mac '##redacted##'
option dest 'wan'
option target 'REJECT'
option weekdays 'Sun Mon Tue Wed Thu Sat'
option start_time '10:30:00'
option stop_time '12:00:00'
config rule
option name 'Block-Select-Schedule-S3'
option src 'lan'
list src_mac '##redacted##'
list src_mac '##redacted##'
option dest 'wan'
option target 'REJECT'
option weekdays 'Sun Mon Tue Wed Thu Sat'
option start_time '12:30:00'
option stop_time '14:00:00'
option enabled '0'
config rule
option name 'Block-Select-Schedule-S4'
option src 'lan'
list src_mac '##redacted##'
list src_mac '##redacted##'
option dest 'wan'
option target 'REJECT'
option weekdays 'Sun Mon Tue Wed Thu Sat'
option start_time '14:30:00'
option stop_time '16:00:00'
option enabled '0'
config rule
option name 'Block-Select-Schedule-S5'
option src 'lan'
list src_mac '##redacted##'
list src_mac '##redacted##'
option dest 'wan'
option target 'REJECT'
option weekdays 'Sun Mon Tue Wed Thu Sat'
option start_time '16:30:00'
option stop_time '18:00:00'
option enabled '0'
config rule
option name 'Block-Select-Schedule-S6'
option src 'lan'
list src_mac '##redacted##'
list src_mac '##redacted##'
option dest 'wan'
option target 'REJECT'
option weekdays 'Sun Mon Tue Wed Thu Sat'
option start_time '18:30:00'
option stop_time '20:00:00'
config rule
option name 'Block-Select-Schedule-S7'
option src 'lan'
list src_mac '##redacted##'
list src_mac '##redacted##'
option dest 'wan'
option target 'REJECT'
option weekdays 'Sun Mon Tue Wed Thu Sat'
option start_time '20:30:00'
option stop_time '22:00:00'
option enabled '0'
config rule
option name 'Block-Select-Schedule-S8'
option src 'lan'
list src_mac '##redacted##'
list src_mac '##redacted##'
option dest 'wan'
option target 'REJECT'
option weekdays 'Sun Mon Tue Wed Thu Sat'
option start_time '22:30:00'
option stop_time '23:30:00'
option enabled '0'
config rule
option name 'Block-Specific'
option src 'lan'
list src_mac '##redacted##'
list src_mac '##redacted##'
list src_mac '##redacted##'
list src_mac '##redacted##'
option dest 'wan'
option target 'REJECT'
option enabled '0'
config rule
option name 'BLOCK-ALL'
list proto 'all'
option src 'lan'
option dest 'wan'
option target 'REJECT'
option enabled '0'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wg0'
option log '1'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'vpn'
option dest 'wan'
config redirect
option target 'DNAT'
option name 'WG-over-NS-Ports'
option src 'wan'
option src_dport '53-54'
option dest_port '51790'
Basy4u
January 21, 2025, 1:59pm
5
Thanks for the advice. Based on my research I found Wireguard to be much better performing than OpenVPN, although i haven't tried it to compare myself.
But UDP to TCP conversion should make the traffic much slower right? Since in my use case, I am looking to route traffic through my home router from outside.
1 Like
IMHO, there are too many variables to give a simple answer; I think you need to perform your own tests, with your devices, your ISP, etc.
1 Like
Basy4u
January 25, 2025, 12:08pm
7
@psherman any valuable insights into this?
egc
January 25, 2025, 12:42pm
8
I think a simple portforward should do, something like:
config redirect
option dest 'wan'
option target 'DNAT'
option name 'wgportforward'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest_port '55443'
This forwards port 51820 > 55443, my wg client uses port 51820 and the server listens on 55443
1 Like
I think that @egc 's comments here are correct.
Many networks that are tightly locked down may perform DPI to attempt to limit traffic to the allowed protocols. Wireguard won't 'look' like anything allowed through.
For things like DNS (port 53), they may even redirect to their own/preferred servers (DNS hijacking) that can limit DNS resolution to only the domains they allow and/or allow them to track connections. If they do hijack DNS, your connection simply won't work.
The port forward option should work, assuming that the traffic can make it though the firewall on the restrictive network. Although I'd actually do the port forward on your main router where it will have the alternate external port then forwarding to 192.168.100.3 port 51790.
2 Likes
Basy4u
January 26, 2025, 9:10am
10
Thanks @egc and @psherman for the valuable insights.@egc , it looks near to what I am trying to achieve, but it seems to be in the reverse direction (at the wg-server end) in my case, as @psherman mentioned in point 3.@psherman , thanks for highlighting point 1 & 2, as this is something i need to figure out as well, whether these networks are actually allowing my client to pass through.
Cheers!
system
February 5, 2025, 9:10am
11
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
