How To Set Up WireGuard Without Port Forwarding [Simple Guide]
5 min. read
Updated on
Share this article
Improve this guide
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Port forwarding could add another layer of complexity to an already meticulous WireGuard setup. So, if you’re not totally confident in your technical know-how, you should go with a method that doesn’t require it.
Below, we’ll explain how to configure WireGuard without port forwarding. We’ll also cover alternative ways for remote access. Ready?
How to set up a WireGuard VPN server without port forwarding
You can rent a virtual provider server to set up a WireGuard VPN server without port forwarding on a compatible router.
It can be a challenge to find a suitable piece of hardware since most VPN routers don’t support this tunneling protocol yet. So for this guide, let’s use Netgate’s pfSense as an example.
Assuming that you’ve already set up your VPN server and installed the protocol’s available package on pfSense, here’s what you need to do.
- Create a tunnel configuration
Follow these steps:
1. Log into your pfSense account on your preferred web browser.
2. Go to VPN > WireGuard > Tunnels > Add Tunnel to begin creating a tunnel from scratch.
3. Check Enabled.
4. Put Remote Access in the Description field.
5. Enter 51820 in Listen Port.
6. Click Generate in the Interface Keys section of Tunnel Configuration to create a new set of keys.
7. Copy the public key for later.
8. Type in your client’s IP address.
9. Save the tunnel to apply the changes.
10. Proceed to VPN > WireGuard > Tunnels > Peers > Add Peer to get started with the Peer section.
11. Check Enabled.
12. Fill in the Tunnel option with tun_wg (Remote Access).
13. Name your client.
14. Check Dynamic Endpoint.
15. Put 25 seconds in the Keep Alive line, but you may leave it empty if you wish.
16. Paste the public key from earlier.
17. Enter 10.6.210.2/32 in the AllowedIPs field.
If you want to include more clients, you’ll have to increase the digit before the /32 CIDR mask to make them distinguishable. In other words, the IP addresses of the subsequent peers should be 10.6.210.3/32, 10.6.210.4/32, and so on.
18. Click Save Peer.
To add one or more clients, repeat the steps for the peer section of the configuration. - Add a firewall rule
To ensure pfSense doesn’t reject external WireGuard traffic on the wide area network (WAN), do this:
1. Go to Firewall > Rules > WAN > Add.
2. Enter Pass for Action.
3. Put WAN in the Interface line.
4. Go with UDP for Protocol.
5. Type in “any” for Source.
6. Fill in the Destination field with WAN Address.
7. Make sure that the Destination Port Range says (other), 51820.
8. Use Pass traffic to WireGuard as Description.
9. Click Save, then Apply Changes. - Generate client configuration
Client configuration can vary by operating system, like Windows. Furthermore, WireGuard split tunnel and full tunnel configs have different AllowedIP settings. That’s because the former doesn’t use the catch-all 0.0.0.0/0 address.
Alternative ways for remote access without port forwarding
ZeroTier and Tailscale are worth trying if you’re a casual internet user who doesn’t have the time for WireGuard server configurations.
To fully grasp what ZeroTier and Tailscale can do, each one deserves its own in-depth review. But to give you an idea of how these remote access tools work, here’s a primer on them:
ZeroTier
ZeroTier is a non-traditional VPN that lets you create remote P2P connections. It uses a set of a dozen root servers housed in fast, stable locations across the world.
In short, it leverages its centralized network to facilitate your decentralized one. The result: low-latency direct exchange of data between devices. The only time you could feel performance issues is when its NAT traversal efforts fail.
Regarding security, it takes the “zero trust” route and encrypts data packets end to end. It also uses a custom-made protocol that assigns a unique 40-bit address. Plus, it supports single sign-on (SSO) and multi-factor authentication (MFA).
Finally, perhaps the most attractive quality of ZeroTier is the ease of setup. It requires no manual configuration whatsoever, handling the messy tech stuff on its own.
Here’s what you need to do:
- Register on its site.
- Create a network to get a network ID.
- Download the app on devices you want to add as peers.
- Authenticate the ones you added through its web-based admin dashboard.
Pros:
- Open-source
- Freemium service
- Practically universal OS compatibility
Cons:
- No key rotation
- Doesn’t support WireGuard protocol
Tailscale
Like ZeroTier, Tailscale supports end-to-end encryption, SSO, and MFA. On the other hand, its peer admission to your network is temporary only. The generated keys expire after a refresh period, making re-authentication necessary.
Also, Tailscale allows you to craft a central policy that defines network restrictions. That comes in handy when you want to connect to other people. If you wish, you can implement device posture checks to prevent the ones that don’t comply from joining your network.
Performance-wise, this remote access solution is WireGuard-based. Therefore, it promises even lower latency than ZeroTier. It also places a layer of on-demand NAT traversal on top of the protocol for direct communication with or without firewalls.
Furthermore, Tailscale’s setup is very similar to ZeroTier’s. So, expect a totally painless installation process.
Pros:
- Freemium service
- WireGuard-based
- Advanced security feature set
- Practically universal OS compatibility
Cons:
- More expensive starting price
Related reads:
- WireGuard No Internet: Common Causes and Quick Fixes
- WireGuard Split Tunnel Config Guide for Windows and More
- Best WireGuard VPNs for Routers
Summary
If you’re old-school and love dabbling with tech, you can set up WireGuard without port forwarding all by yourself. Our guide covers all the necessary steps.
Alternatively, you can go with either ZeroTier or Tailscale for remote access. Still, keep in mind only Tailscale lets you use WireGuard without port forwarding. But if you don’t care about the protocol that much, either can get the job done.
