Wireguard behind NAT

Steven Honson steven at honson.id.au
Fri Sep 7 17:17:54 CEST 2018

Hi Adrian,

As SIDE_B has a public IP address, the example you give should work fine. In this case, SIDE_A will establish a connection with SIDE_B which effectively punches a NAT hole for return traffic from SIDE_B to SIDE_A.

When configuring the SIDE_A peer on SIDE_B, just leave EndPoint unset.

Inversely, when configuring the SIDE_B peer on SIDE_A, use the dynamic DNS name (and the port that SIDE_B is listening on).

The NAT Hole Punching example Jason provided is more applicable to situations where both WireGuard peers are NATed. In your example it sounds like this is only the case for SIDE_A.


> On 3 Sep 2018, at 5:51 am, Adrián Mihálko <adriankoooo at gmail.com> wrote:
> Is there any way to connect to Wireguard behind a Carrier-grade NAT? 
> On SIDE_A I have a backup LTE connection, without proper public ip, only dynamic ip and I server with Wireguard. 
> SIDE_A = mobile LTE connection, without public IP, behind carrier grade NAT 
> SIDE_A_SERVER = WIREGUARD (connecting to sideb.dyndns.org <http://sideb.dyndns.org/>) 
> SIDE_B = VDSL with public ip + ddns (sideb.dyndns.org <http://sideb.dyndns.org/>) 
> SIDE_B_SERVER = WIREGUARD (cannot connect to SIDE_A, because no public ip on SIDE_A) 
> Best regards, 
> Adrian
> _______________________________________________
> WireGuard mailing list
> WireGuard at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20180908/b5c9cc33/attachment.html>

More information about the WireGuard mailing list