I would say that I am intermediate when it comes to homenetworking and self hosting. I understand most concepts and how they work. The one thing I cannot figure out is how a self hosted VPN can work without any port forwarding. I guess this really applies to all VPNs.
Edit: When I set up a wire guard VPN from my Unifi Network controller for remote access, I don’t have to forward any ports and don’t see anything forwarded in the firewall rules. Am I missing something? Is it doing some port forwarding and not telling me? What port is it forwarding?
Normal WG and OpenVPN don’t work without port forwarding. You need to port forward to connect to those services. Port forwarding is only used on INBOUND traffic though, so connecting to a server outside of your network will work without port forwards.
You need to port forward on the server side. You can use a VPS, connect your server to the VPS, then port forward on the VPS to your server. Tailscale is easier so I just use that personally.
If you’re using WireGuard or OpenVPN on a UniFi gateway, then it’s doing the “port forwarding” the background. (It’s not really forwarding the port though since the gateway is handling the connection so it would be forwarding it to itself.)
Once the VPN tunnel is established, the gateway will allow any tunnel traffic in/out of your internal network by default.
I haven’t looked much into OpenVPN but WireGuard cannot work without at least one of the two peers having an open UDP port. I would imagine OpenVPN is similar. There are other VPN providers, like Tailscale, that operate hubs that all your clients connect to. This hub will have the open ports so clients just have to initiate the connection.
When I set up a wire guard VPN from my Unifi Network controller for remote access, I don’t have to forward any ports and don’t see anything forwarded in the firewall rules. Am I missing something? Is it doing some port forwarding and not telling me? What port is it forwarding?
You’re not forwarding anything at all if the service is running on the router. Forwarding would be going to a DIFFERENT machine in your network, not the router. Guaranteed there are firewall rules in place to allow that VPN.
On my Cloud Gateway Ultra there is a firewall rule called Allow Wireguard Server on the Internet Local interface. It was created automatically when I configured the VPN. Port forwarding is sending packets to a different device on the network, it doesn’t really apply when the VPN is running on the gateway itself.
Cannot believe the number of replies that seem to be missing the most fundamental misunderstanding that OP is having.
You all are talking about using a VPS with a reverse proxy. OP is talking about enabling Wireguard on their home router, and e.g. using the Wireguard app on their phone to connect to their home network.
OP: When you connect to your home router with Wireguard, you are creating a secure tunnel such that the remote device is setup in such a way that it’s like it’s connected locally. Thus, like any locally connected device, you don’t need port forwarding to access any of your services. In effect, the traffic is only local and never has to traverse the firewall. This is the nice part about this type of VPN. You don’t need any open port at all except for the Wireguard port (which the Unifi Network controller configures on your behalf). No ports at all have to be forwarded.
WG and OpenVPN do require an open port, on the server side, to receive incoming connections from clients. VPN clients connect outgoing, which is usually allowed by firewalls.
However, there are serverless peer-to-peer VPN protocols like /r/Zerotier and /r/Tailscale that work behind firewalls/NAT through a technique called UDP hole punching (= tricking the firewall or NAT gateway to think that both sides are initiating an outgoing connection).
You are routing. So your devices all get IPs on a second network.
There is another version. The basic function of a router is to map IP addresses from one network to another. So traditionally (before NAT) we would map say 192.168.1.x to our public IP subnet say 100.100.1.x. We still do this but now we’re mapping it all down to a single IP with NAT and using port numbers or https to map external packets to internal addresses. With Wireguard though we establish a virtual network and map to the Wireguard software that does an overlay network over UDP.
Tailscale and similar “wiregaurd” based solitions don’t seem to REQUIRE port forwarding because they can use public relays. Each client on either end connect through a public relay that is not behind a NAT. There are downsides to connecting through a relay so point to point (direct) is prefered and would require port forwarding.
Aside from that, standard server-client model. OpenVPN clients can connect to OpenVPN servers so long as the server is not behind a NAT, is behind a 1:1 NAT, or is port forwarded. Clients can always connect to servers if they’re routable and the server’s listening port is exposed.
It’s amazing how many people here in their comments don’t understand the fundamentals of networking but try to explain it anyways.
Imagine two networks as two streets, and the devices on them as numbered houses.
If I want someone from one neighborhood to meet someone in another gated community, they must have the information to drive to the other neighborhood using the address(network), and then get to the specific house with the house number (port number).
Without a forwarded port(house number) written on the houses, you’ll arrive on the street but have no idea which house is right. Eventually the neighborhood watch (firewall) will kick you out because you are wandering aimlessly around.
Say you do have the info, and the houses are labeled correctly. If you get to this gated community, but they aren’t allowing visitors, you’ll be turned around too (by the firewall).
So for a connection to be made you have to have an open port on a device and a way to get there.
There’s a lot of wrong information here from people here about Tailscale etc.
Tailscale also requires an open port. The secret is, you use someone elses server as needed. It’s not truly self hosted, and if their “secure relays” go down, your devices will no longer be able to talk outside their networks to each other. You’re just using someone else’s VPN.
Based on my understanding, you do have to port forward with WireGuard in order for it to work. However implementations of WireGuard (e.g Tailscale) don’t require you to port forward because it uses NAT traversal to make connections
A VPN is kind of like sending letters. You put the message in an envelope and send the envelope away… the problem without port forwarding is that there’s no return address for the letters! So, to work around this, you use a 3rd party (A PO box) for your letters instead. The problem is that your messages all need to go to this PO box instead of directly to you.
You could host a VPN on the VPS. Connect all the networks to the VPN that want to communicate with each other. each machine that connects to the VPN will receive a new IP address from the VPN subnet. On the VPS hosting the VPN you would need to add IPTABLES/ufw rules to allow the traffic to forward to each other over the tun0 interface.
Firewalls block incoming traffic unless you specifically ask for it, like a website. You visit the website and it loads its data on your machine.
So what you need is like Tailscale or similar. They have a “website” server and you computer at home is going to visit that, and allows in that connection. The same on the other side. After that the protocol says, the external server is no longer needed as there is a hole in the firewall, lets set up the tunnel between your 2 machines. The external server sees nothing of your data transmitted between your machines.
Once the connection is made, does data still flow through Tailscale servers? Or direct from point to point. I’m not fussed about the security but more on performance
your last paragraph is partly wrong. With UDP hole punching you can (sometimes) connect 2 devices behind NAT only using their servers for initial synchronization. Once the connection is established, you don’t care if these “relays” (which aren’t really relays) are up or down
NAT Transversal has little to do with the reason that Tailscale works without the user forwarding ports. In fact, it’s really only involved within internal networks or when a stateful firewall is in the way of the connection, so it’s used along with the below.
The reason you don’t need to forward ports with Tailscale is because you are basically using one of their dedicated servers when the peers can’t forward their own. They call them “secure relays” but they are basically wireguard servers that your peers connect with to talk to each other. In other words, the server is hosted by a third party who is forwarding the ports. It’s a common misconception that Tailscale is self hosted this way. In reality you’re either already able to connect between peers, or you’re using someone else’s server in the cloud to do so.