So what inbound port do you run WG on then?
Inbound obviously, otherwise nothing could sync their time
Well that seems to have done the trick. Thanks so much! I was fine with openvpn, but having read the benefits of wireguard, especially for mobile use and battery life, I really wanted to get it working.
Do you see the security issue now?
UDP is very sensitive to fragmentation - and slow initialisation could be the routers finding a common low MTU. That’s where I’d start anyway - see if a very low MTU in WG (like 600) makes it stable, then increase.
I use an iPhone too and use a Debian server behind a ddns myself. Most the time it just works. Sometimes I have the same problem you described. I think it is not necessarily the server site as on my MacBooks it is always ok. When I started using WireGuard back in 2019 I had the issue more often. It could be simply the WireGuard client and iOS itself. Back then there were more often reports about it. Especially when you change cells on the way.
Because I like the Swiss flag, obviously
I run it on 123 on a machine serviced by a sane ISP that doesn’t block ports.
Well yeah, not allowing any connections to your home network is more secure. Might as well just not host anything, that’s even more secure. Or you know what, just cut your internet connection, that’ll make it secure for sure.
Nope, but I can’t wait to see your presentation at DEFCON since you seem to know something that nobody else does. You might want to go ahead and put in a request for time off, since the NSA is a little short handed and would miss your smiling face for the days that you’re gone, giving a presentation to all of us dummies.
Yes, really. Why are you being so dense? I’ve been in this game for decades. To the best of my knowledge, you’re the first person who has ever made such an incredulous claim of, ‘VPNs shouldn’t be exposed on the Internet!’. So, you’ve made the claim, now please make the case for why.
That said, and for me to play devil’s advocate for you, there have been cases where I have restricted VPN to (D)DNS-based resolution, but that’s generally been to reduce CPU usage for so many people beating on the server which was running on a slower machine, and was less about security and more about CPU consumption, which is arguably negligible.
Yeah it’s a big plus
So back to my original issue: some ISPs do, even though you said they don’t. Might affect OP.
If you use a traditional VPN server, pick your poison, it requires you to port forward, you are opening the network to attack.
Most, if not all, who setup WireGuard think it’s perfectly secure, after the installation and setup, I’d hazzard a guess, exactly “nobody” will ever update their server.
Ask yourself what version of WireGuard you’re running now and if it needs any security patching ?
Now I’m.not saying don’t host anything, what I’m saying is don’t rush to adopt a solution before understanding the risks and your personal skill level at maintaining the solution.
You have comprehension issues buddy, not wasting any more of my value time on you.
Used to have that issue, what worked for me was adding a PersistentkeepAlive = 60 line on the peer section.
I literally cannot be realistically expected to know every ISP quirk under the sun. Hell, your ISP could be doing Deep-Packet-Inspection and blocking all Wireguard traffic for some unknown reason, how am I supposed to know? This is such a weird thing to argue about.
Port 123 remains a good option if it’s open. If not, use something else. There are ways to use Wireguard with TCP and on port 443 too, but that’s a lot more involved.
It’s the only way to be sure!
Says the person that cannot make a valid point, and is downvoted to hell for being 100% wrong.
Another good UDP port is 563.