1

The motive for doing this is that I want to open other ports so that I can evade firewalls which block VPN connections. Instead of redirecting eg. port 53 or 123, I could simply set up a destination NAT rule (my router allows 'easy' port forwarding or you can set it up manually with a destination NAT rule. using the DNAT method gives you more flexibility like specifying IP addresses) which doesn't specify a source port, effectively redirecting all traffic going to my router on every port to the WireGuard server.

The benefit is that I have the best chance of being able to connect to my VPN server (I won't be talking about DPI or TCP/UDP converters since that's another topic)

My understanding is that the security relies on the daemon that is running (or will be running). So I'm fine in this regard since its all being redirected to WireGuard. But I've never seen this recommended at all. I've been doing it for a while and I do get a lot of connections from random IP addresses. I'm not sure if that could allow attackers to DOS my home network more easily, cause they have more ports to send data through at the same time.

The Legend 27
  • 11
  • 1

1 Answers1

1

Open ports in themselves do not pose a greater risk than closed ports. In order to exploit a security gap, the service behind the port must always be vulnerable. Conversely, this means that if your VPN service is always kept up to date and it does not pose a security risk, the open ports will not do it as long as there is no vulnerable service running

DoS/DDoS is not necessarily a problem of ports; closed ports can also be attack vectors for it. Since packets destined for your host still have to be validated by the Kernel/Network Stack and therefore your machine has to process these requests.

Measures against this could, for example, be a firewall that drops packets before they even reach your machine

rm -rf
  • 111
  • 4