Would it be possible to configure a single Firezone WireGuard VPN server to accept connections over multiple UDP ports? In case the default UDP 51820 port is blocked, I would like the option to connect using an alternate UDP port such as UDP 123 or 1194. I’ve read that this would be possible in certain WireGuard deployments using an iptables rule such as the following:
iptables -t nat -A PREROUTING -i [SERVER_INTERFACE] -d [SERVER_IP] -p udp -m multiport --dports 53,80,123,443,1194,1197,1198,8080,9201 -j REDIRECT --to-ports [WIREGUARD_PORT]
Can something similar be done using the Firezone docker version?
1 Like
Okay, I’m an idiot.
I was able to resolve the issue by fowarding UDP 443 externally to UDP 51820 internally at the firewall. So effectively, the Firezone WireGuard VPN server is accessible externally at both UDP 443 and UDP 51820 while listening internally only on UDP 51820.
No special configuration changes to Firezone or the Docker/Ubuntu host are necessary.
Although your solution is perfectly valid, I want to mention another solution to answer your original question instead of the workaround you mentioned. It could help other people when they want to run multiple Wireguard containers on the same host (or the default port is blocked for whatever reason).
You can change the port Wireguard is using by specifying an environment variable in the “.env” file (or hardcode it in docker-compose.yml if you want it dirty):
WIREGUARD_PORT=
You can look at the docs for more options:
1 Like