[WireGuard] Wireguard behind NAT (Was: Client changes endpoint port, why?)

Baptiste Jonglez baptiste at bitsofnetworks.org
Thu Jul 7 17:25:24 CEST 2016

On Thu, Jul 07, 2016 at 05:06:21PM +0200, Baptiste Jonglez wrote:
> On Thu, Jul 07, 2016 at 02:45:22PM +0000, Jan De Landtsheer wrote:
> > BTW, can a client run behind NAT ? (I assume not, as AFAICT both need to
> > listen on a port)
> Yes, you can run behind a NAT (well, maybe not if *both* peers are behind
> a NAT).  Wireguard uses its local "listening port" as source UDP port when
> sending packets, so this will create a mapping in a NAT or stateful
> firewall.

Well, thinking about it, you should be able to make wireguard work even if
both peers are behind a stateful firewall or NAT :)

You just have to specify endpoints on *both* peers to point at the public
IP address of the other peer.

For instance:

- Peer A listens on port 4444 and is behind a NAT with public IP address X
- Peer B listens on port 5555 and is behind a NAT with public IP address Y
- Peer A does this: wg set wg0 peer B endpoint Y:5555
- Peer B does this: wg set wg0 peer A endpoint X:4444

Once both peers have sent messages, this trick should create a mapping in
both NATs.

It might not work for NAT that also rewrite the source port, though
(I never understood the terminology, but this might be called a symmetric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20160707/9d32561d/attachment.asc>

More information about the WireGuard mailing list