Wireguard VPN server : redirect wan port 53 to 51820

Hello everyone.
I have set up a Wireguard VPN server on my OpenWrt router. It's listening on default port 51820.
I opened WAN port 51820, and the Wireguard VPN has been working flowlessly since a few months.

But to bypass some firewall restrictions, I would like to set up the Wireguard server listening on UDP port 53, which must not be blocked by firewalls (being DNS port on UDP)
For example, my OpenVPN server is listening on local port TCP 1194 but I have a redirection from WAN port 443 TCP to LAN port 1194 TCP.
I would like to do the same for Wireguard.

But I cannot make it work by setting up a redirection in OpenWrt firewall from port 53 UDP from WAN to port 51820 on LAN (or on device itself), and on setting up my Wireguard client to go on my WAN IP port 53 (the same way I did for my OpenVPN server and firewall rules/redicetion).

I tried to set my wan (and wan6) interface in the exclusion interface from my local OpenWrt DNS server, but this doesn't change anything.

Can someone explain why this doesn't work ?

I tried this

Ans this but without luck

dnsmasq is listening on 53 (and just blocked via firewall), so unless you make it listening only on specific interfaces/ IPs, this port is taken.

That's why I excluded wan interface from dnsmasq

With this, when i do
netstat -tulpn | grep LISTEN
Dnsmasq is not listening on my wan IP

Or just do a NAT rule from wan 53 to lan 51820

1 Like

This is what I'm trying :

config redirect
option dest_port '51820'
option src 'wan' 
option name 'Wireguard'
option src_dport '53'
option target 'DNAT'
list proto 'udp'
option dest 'lan'
option dest_ip '192.168.3.1'

But it doesnt work...

here's what's working for me

config redirect
	option dest_port '51820'
	option src 'wan'
	option src_dport '53'
	option dest 'lan'
	option dest_ip '192.168.1.19'
	option target 'DNAT'
	option name '53_wg'
	list proto 'udp'

I have the same config but it doesn't work...

Here is " netstat -tulpn | grep LISTEN" :

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1692/uhttpd
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      19112/dnsmasq
tcp        0      0 192.168.50.1:53         0.0.0.0:*               LISTEN      19112/dnsmasq
tcp        0      0 192.168.100.1:53        0.0.0.0:*               LISTEN      19112/dnsmasq
tcp        0      0 192.168.3.1:53          0.0.0.0:*               LISTEN      19112/dnsmasq
tcp        0      0 192.168.26.1:53         0.0.0.0:*               LISTEN      19112/dnsmasq
tcp        0      0 192.168.25.1:53         0.0.0.0:*               LISTEN      19112/dnsmasq
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      1281/dnscrypt-proxy
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1370/dropbear
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1692/uhttpd
tcp        0      0 127.0.0.1:445           0.0.0.0:*               LISTEN      2071/smbd
tcp        0      0 192.168.3.1:445         0.0.0.0:*               LISTEN      2071/smbd
tcp        0      0 0.0.0.0:1194            0.0.0.0:*               LISTEN      3404/openvpn
tcp        0      0 127.0.0.1:139           0.0.0.0:*               LISTEN      2071/smbd
tcp        0      0 192.168.3.1:139         0.0.0.0:*               LISTEN      2071/smbd
tcp        0      0 :::80                   :::*                    LISTEN      1692/uhttpd
tcp        0      0 ::1:53                  :::*                    LISTEN      19112/dnsmasq
tcp        0      0 fe80::7a11:dcff:fe41:463b:53 :::*                    LISTEN      19112/dnsmasq
tcp        0      0 fd50:6ed3:b2d4:50::1:53 :::*                    LISTEN      19112/dnsmasq
tcp        0      0 fe80::7a11:dcff:fe41:463b:53 :::*                    LISTEN      19112/dnsmasq
tcp        0      0 fd50:6ed3:b2d4:99::1:53 :::*                    LISTEN      19112/dnsmasq
tcp        0      0 fe80::7a11:dcff:fe41:463b:53 :::*                    LISTEN      19112/dnsmasq
tcp        0      0 fd50:6ed3:b2d4:3::1:53  :::*                    LISTEN      19112/dnsmasq
tcp        0      0 fe80::7a11:dcff:fe41:463b:53 :::*                    LISTEN      19112/dnsmasq
tcp        0      0 fe80::7a11:dcff:fe41:463e:53 :::*                    LISTEN      19112/dnsmasq
tcp        0      0 fe80::6d0b:f307:53      :::*                    LISTEN      19112/dnsmasq
tcp        0      0 fe80::7a11:dcff:fe41:463d:53 :::*                    LISTEN      19112/dnsmasq
tcp        0      0 fe80::7811:dcff:fe41:463d:53 :::*                    LISTEN      19112/dnsmasq
tcp        0      0 fe80::7c11:dcff:fe41:463d:53 :::*                    LISTEN      19112/dnsmasq
tcp        0      0 fe80::e70b:1aff:c30:8108:53 :::*                    LISTEN      19112/dnsmasq
tcp        0      0 fe80::7811:dcff:fe41:463e:53 :::*                    LISTEN      19112/dnsmasq
tcp        0      0 :::22                   :::*                    LISTEN      1370/dropbear
tcp        0      0 :::443                  :::*                    LISTEN      1692/uhttpd
tcp        0      0 fd50:6ed3:b2d4:3::1:445 :::*                    LISTEN      2071/smbd
tcp        0      0 ::1:445                 :::*                    LISTEN      2071/smbd
tcp        0      0 fd50:6ed3:b2d4:3::1:139 :::*                    LISTEN      2071/smbd
tcp        0      0 ::1:139                 :::*                    LISTEN      2071/smbd

you need to check udp not tcp so post output of
netstat -una

1 Like

"netstat -una" : (for IPv4 only)

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
udp        0      0 127.0.0.53:53           0.0.0.0:*
udp        0      0 127.0.0.1:53            0.0.0.0:*
udp        0      0 192.168.50.1:53         0.0.0.0:*
udp        0      0 192.168.100.1:53        0.0.0.0:*
udp        0      0 192.168.3.1:53          0.0.0.0:*
udp        0      0 192.168.26.1:53         0.0.0.0:*
udp        0      0 192.168.25.1:53         0.0.0.0:*
udp        0      0 0.0.0.0:67              0.0.0.0:*
udp        0      0 0.0.0.0:51820           0.0.0.0:*
udp        0      0 192.168.3.255:137       0.0.0.0:*
udp        0      0 192.168.3.1:137         0.0.0.0:*
udp        0      0 0.0.0.0:137             0.0.0.0:*
udp        0      0 192.168.3.255:138       0.0.0.0:*
udp        0      0 192.168.3.1:138         0.0.0.0:*
udp        0      0 0.0.0.0:138             0.0.0.0:*
udp        0      0 0.0.0.0:25826           0.0.0.0:*
udp        0      0 0.0.0.0:5353            0.0.0.0:*
udp        0      0 0.0.0.0:53283           0.0.0.0:*
udp        0      0 ::1:53                  :::*

how do you test?
in my home env I have a DNS hijacking rule so I need to use mobile data...
or maybe your ISP is hijacking the DNS...

I do my testing for my wireguard client on my mobile phone on LTE.
I first believed that my ISP blocked port 53 but I tried to make dnsmasq on my OpenWrt listen on wan, and if I open port 53 on WAN on the firewall, and set my DNS server on client outside of my lan (on another network) to my public IP, it works. So my ISP doesn't block port 53.

I have dnscrypt-proxy installed on my OpenWrt, but I tried to shut it down, and it doesn't change anything.

Check this:

iptables-save -c -t nat | grep -e 51820
iptables-save -c -t nat | grep -e 51820

[0:0] -A zone_lan_postrouting -s 192.168.3.0/24 -d 192.168.3.1/32 -p udp -m udp --dport 51820 -m comment --comment "!fw3: Wireguard (reflection)" -j SNAT --to-source 192.168.3.1
[0:0] -A zone_lan_prerouting -s 192.168.3.0/24 -d MYPUBLICIP/32 -p udp -m udp --dport 53 -m comment --comment "!fw3: Wireguard (reflection)" -j DNAT --to-destination 192.168.3.1:51820
[0:0] -A zone_lan_prerouting -s 192.168.3.0/24 -d 192.168.4.253/32 -p udp -m udp --dport 53 -m comment --comment "!fw3: Wireguard (reflection)" -j DNAT --to-destination 192.168.3.1:51820
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: Wireguard" -j DNAT --to-destination 192.168.3.1:51820

PS : I hide my public IP

Here is my config :

/etc/config/network (for wireguard interface only) :

config interface 'wireguard'
	option proto 'wireguard'
	option private_key 'PRIVATEKEY'
	list addresses '192.168.25.1/24'
	option listen_port '51820'

/etc/config/firewall (for wireguard)

config redirect
	option dest_port '51820'
	option src 'wan'
	option name 'Wireguard'
	option src_dport '53'
	option target 'DNAT'
	option dest_ip '192.168.3.1'
	option dest 'lan'
	list proto 'udp'

You have zero connection attempts logged.
Perhaps your client or server ISP performs DNS hijacking or something.

1 Like

Port 53 won't show up as listening for wireguard. You are merely rewriting the destination address and port of the packet in prerouting.

Good point, let's see what comes to the router:
opkg update; opkg install tcpdump; tcpdump -i $(uci get network.wan.ifname) -evn udp port 53 or udp port 51820

1 Like

You are right.
I didnt received anything in tcpdump from m'y mobile phone from LTE.
I tried from another connection from my friend's hous and it worked (with the config from the begining).

It's weired that mobile carier block outgoing port 53 (mine ils SFR from France)

Thanks everyone

1 Like

Especially mobile providers tend to block quite aggressively and blocking port 53 isn't unlikely either, as ISPs are fighting open resolvers (which are, at best, a sign of misconfiguration, but more likely abused in dDOS attacks).

1 Like