Multiple Clients behind NAT

Maarten de Vries maarten at de-vri.es
Fri Jan 15 14:21:52 UTC 2021


On 14-01-2021 18:09, Riccardo Paolo Bestetti wrote:
> On Wed Jan 13, 2021 at 9:14 PM CET, Posegga, Joachim wrote:
>> I am trying to connect multiple wireguard clients behind the same
>> NAT-Gateway to a Mikrotik server with a public IP. I am not yet sure
>> where exactly the problem is, but it seems that only one client at a
>> time can establish a tunnel.
> I don't know much about Mikrotik, but my guess is that it's not
> randomizing source ports for packets egressing the NAT.
>
> If that's the case, since WireGuard uses the same port for both source
> and destination, and since your clients are all connecting to the same
> server (and thus port), then your NAT can't demux incoming packets, and
> it just sends them all to the same client. (It probably picks the first
> one that sends egress packets, until it hits some inactivity time-out).

WireGuard doesn't have to use the same local port for all clients. In 
fact, if you don't give a ListenPort explicitly, an ephemeral port is 
assigned. This could theoretically still conflict between clients on 
different machines, but it is unlikely to happen in practice.

If NAT is broken, it should be fixed anyway, but letting WireGuard use 
ephemeral ports would also likely solve the problem in practice.


Kind regards,

Maarten



More information about the WireGuard mailing list