Hello everyone.
I have set up a Wireguard VPN server on my OpenWrt router. It's listening on default port 51820.
I opened WAN port 51820, and the Wireguard VPN has been working flowlessly since a few months.
But to bypass some firewall restrictions, I would like to set up the Wireguard server listening on UDP port 53, which must not be blocked by firewalls (being DNS port on UDP)
For example, my OpenVPN server is listening on local port TCP 1194 but I have a redirection from WAN port 443 TCP to LAN port 1194 TCP.
I would like to do the same for Wireguard.
But I cannot make it work by setting up a redirection in OpenWrt firewall from port 53 UDP from WAN to port 51820 on LAN (or on device itself), and on setting up my Wireguard client to go on my WAN IP port 53 (the same way I did for my OpenVPN server and firewall rules/redicetion).
I tried to set my wan (and wan6) interface in the exclusion interface from my local OpenWrt DNS server, but this doesn't change anything.
I do my testing for my wireguard client on my mobile phone on LTE.
I first believed that my ISP blocked port 53 but I tried to make dnsmasq on my OpenWrt listen on wan, and if I open port 53 on WAN on the firewall, and set my DNS server on client outside of my lan (on another network) to my public IP, it works. So my ISP doesn't block port 53.
I have dnscrypt-proxy installed on my OpenWrt, but I tried to shut it down, and it doesn't change anything.
Port 53 won't show up as listening for wireguard. You are merely rewriting the destination address and port of the packet in prerouting.
Good point, let's see what comes to the router: opkg update; opkg install tcpdump; tcpdump -i $(uci get network.wan.ifname) -evn udp port 53 or udp port 51820
You are right.
I didnt received anything in tcpdump from m'y mobile phone from LTE.
I tried from another connection from my friend's hous and it worked (with the config from the begining).
It's weired that mobile carier block outgoing port 53 (mine ils SFR from France)
Especially mobile providers tend to block quite aggressively and blocking port 53 isn't unlikely either, as ISPs are fighting open resolvers (which are, at best, a sign of misconfiguration, but more likely abused in dDOS attacks).