Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Point to Point VPN WAN Port Open?

    Scheduled Pinned Locked Moved WireGuard
    3 Posts 2 Posters 677 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • perikoP
      periko
      last edited by

      I had setup a point to point vpn with WG under pfsense 2.5.2.

      I have see a strange behavior.

      If I'm wrong please let me know, once we setup a point to point, pfsense open the socket for WG in WAN IPv4/IPv6 by default port 51820 UDP, we don't need to open any port in the WAN's rules manually right?

      I ask this because, I was working with this scenario an detect that once we install/uninstall WG, one of my peers start blocking the connection in the WAN for the remote pfsense, I talking about P2P between 2 Pfsense with WG.

      I see the blocked connections in the firewall logs, what I did was, just open the port WAN Source any, dst WAN address UDP port 51820 and done, VPN up and running.

      I repeat the scenario and the same issue, with a fresh installation won't happen, but latter just uninstall/install WG, one of the nodes show this problem.

      I have read pfsense bugs but didn't see any report like this one.

      Some else have this behavior ?

      PfSense 2.5.2, regards!!!

      Necesitan Soporte de Pfsense en México?/Need Pfsense Support in Mexico?
      www.bajaopensolutions.com
      https://www.facebook.com/BajaOpenSolutions
      Quieres aprender PfSense, visita mi canal de youtube:
      https://www.youtube.com/c/PedroMorenoBOS

      cmcdonaldC 1 Reply Last reply Reply Quote 0
      • cmcdonaldC
        cmcdonald Netgate Developer @periko
        last edited by

        @periko One side of the tunnel must have an public ip and open port for the other side to connect. So let's pretend that Site A has a public IP and open port, and Site B is behind NAT and has no open ports. In this situation, Site A cannot initiate a connection...only Site B can. But once Site B initiates the connection, a UDP path is established through the firewall that allows Site A to connect to Site B. This is also why a Persistent KeepAlive can be useful here as it ensures that the UDP path is maintained so that both ends can communicate freely without requiring the NAT'd peer to open the tunnel.

        Need help fast? https://www.netgate.com/support

        1 Reply Last reply Reply Quote 0
        • perikoP
          periko
          last edited by

          Hello.

          In my case both Pf has public IP, went I setup WG P2P at first I don't have to open ports, WG open the sockets and don't add any value for keepalive.

          If I delete all setup and delete WG from both pfsenses, this issue appear, I have to open udp port for wg in one side because start blocking the packets.

          My questions is, in a standard setup like this one, do wg open the sockets or we need to open the port in the WAN always?

          Or what is the right steps?

          To understand more how WG is working, thanks Chris.

          Necesitan Soporte de Pfsense en México?/Need Pfsense Support in Mexico?
          www.bajaopensolutions.com
          https://www.facebook.com/BajaOpenSolutions
          Quieres aprender PfSense, visita mi canal de youtube:
          https://www.youtube.com/c/PedroMorenoBOS

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.