Wireguard server port

trumee · July 24, 2025, 3:30am

Hello,

I want to change the wireguard server port from 51280 to port 53. Does changing the port automatically open it up or do i need to open the port?

Thanks

9b9e69c2-4b75-4420 · July 24, 2025, 4:32am

:53 is unencrypted DNS. It'd be better to use :443 (HTTPS/TLS) to evade restrictive upstream firewalls.

The WG server should be already assigned to the wan firewall zone. You should be good to go.

trumee · July 24, 2025, 11:38am

I am already using port 443 to host a webserver so cannot use that.

I changed the port of wireguard server from 51820 to 53, and was able to reach the router from a remote client. However the remote client did not get access to internet, it seems the router stopped NATting the traffic out to the internet i.e. remote client couldnt ping to 8.8.8.8 but could ping 192.168.8.1

I do have IP masquerading enabled,

9b9e69c2-4b75-4420 · July 24, 2025, 11:39pm

Then I suspect the GL side of things are still expecting everything to be on :51820. You may need to get into SSH &/or LuCI to make some customizations. Before you do I'd revert your latest change, then pull a backup:

I'd poke around /etc/config/firewall, /etc/config/network & /etc/config/wireguard_server (that last one is GL.iNet specific & not found on stock/pure OWRT).

/etc/init.d/firewall restart && /etc/initd.d/network restart should be executed to make any changes you've made effective.

trumee · July 24, 2025, 11:44pm

I tried port 53 and 123, they both did not work. Following that i tried port 563 and it worked. Maybe 53 and 123 mean something special to glinet.

9b9e69c2-4b75-4420 · July 24, 2025, 11:59pm

:53 is unencrypted/cleartext DNS. By default dnsmasq listens on that port. :123 is for NTP (ntpd).... the network time protocol. That's how these devices pull the current time. There's no hardware/real time clock (RTC) in them. It's used in stock/pure OpenWrt, which GL.iNet builds on.

netstat -natp
ps -w | grep ntp

will.qiu · July 25, 2025, 8:34am

As 9b9e... mentioned, the udp:53 has been occupied by dnsmasq for providing the DNS service.
So when you try changing the WireGuard server listen port to 53, it will not be able to apply.
(Maybe we will add a port conflict remind in the further version)

If you want to disable the DNS serivce of dnsmasq, you can use the ssh commands for it.

echo 'port=0' >> /etc/dnsmasq.conf
/etc/init.d/dnsmasq restart

Note this command will stop our router from providing DNS service, please change the Network - LAN - DHCP server - DNS Server 1 and 2 to suitable one, like 8.8.8.8 or 1.1.1.1
In order to make LAN devices work properly.

And using the below commands to make router itself can resolve domain normally.

sudo sed -i 's/^nameserver 127\.0\.0\.1$/nameserver 8.8.8.8/; s/^nameserver ::1$/nameserver 2001:4860:4860::8888/' /etc/resolv.conf

Then you should be able to change WireGurd server to 53 now.

And here are the commands to make dnsmasq provide the DNS service again.

sed -i '/^\s*port=0\s*$/d' /etc/dnsmasq.conf
/etc/init.d/dnsmasq restart

Also, the commands to restore router's DNS server.

sudo sed -i 's/^nameserver 8\.8\.8\.8$/nameserver 127.0.0.1/; s/^nameserver 2001:4860:4860::8888$/nameserver ::1/' /etc/resolv.conf