I have a "client-server" setup composed of one Wireguard server computer and one client, both under their respective NAT. I want these to communicate without port forwarding on the client's router. Obviously, I still need port forwarding in the server's router.
According to this comment one can leverage stateful UDP firewall if server's replies come from the very same port the client used to reach it. To do that, I set ListenPort
to 58120 on both ends:
[Interface]
ListenPort = 51820
...snip...
Now with tcpdump
executed on client's router I can prove packets are going out with source port 51820 and destination port 51820. Same with tcpdump
executed on server's router: outgoing packets with source and destination set to 51820.
In the incoming direction though, client's router shows that packets come from port 1025. It looks like server side NAT changed port 51820 to 1025. Is this because port 51820 is already occupied by the port forwarding? How can I have source and destination ports equal so that the client router detects a UDP "connection"?
Implementation detail: both firewalls and NATs are iptables-driven.