[WireGuard] Client changes endpoint port, why?

Baptiste Jonglez baptiste at bitsofnetworks.org
Thu Jul 7 17:06:21 CEST 2016


On Thu, Jul 07, 2016 at 02:45:22PM +0000, Jan De Landtsheer wrote:
> On Thu, Jul 7, 2016 at 3:13 PM Baptiste Jonglez <baptiste at bitsofnetworks.org>
> wrote:
> 
> > On Thu, Jul 07, 2016 at 12:53:24PM +0000, Jan De Landtsheer wrote:
> > >   - about changing ports:
> > > hmmm. can't really say...
> > > What I noticed: I could ping yesterday, without doing anything, I
> > couldn't
> > > this morning. that's when I saw the difference.
> > > I had something like it yesterday, and thinking I did something wrong, I
> > > set it in stone in a config file. applied it, had my ping, kept the
> > > terminal session on the server open (had also an openvpn to the remote).
> > > This morning, from the remote , there was no ping. Verified why. And
> > then I
> > > sent this mail ;-)
> >
> > Could there be a NAT or stateful firewall on your network, messing up the
> > UDP source port of packets received from the server?
> >
> 
> nope, Start with basics, use pub ip to pub ip

Hmm, that's really strange then.  Any weird firewall rules on any of the
hosts?

> BTW, can a client run behind NAT ? (I assume not, as AFAICT both need to
> listen on a port)

Yes, you can run behind a NAT (well, maybe not if *both* peers are behind
a NAT).  Wireguard uses its local "listening port" as source UDP port when
sending packets, so this will create a mapping in a NAT or stateful
firewall.

Baptiste
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20160707/2e66e3f0/attachment.asc>


More information about the WireGuard mailing list