Self-built WireGuard solution port is frequently blocked, the ultimate minimalist solution (nanny class can be reproduced)

Self-Hosted VPN

(1) From LetsVPN to self-built Wireguard VPN full process review (with pit guide)

(2) WireGuard VPN configuration optimization: domestic website direct connection, foreign traffic to go to VPN (actual measurement is effective)

(3) Wireguard domestic direct connection + foreign tunnel configuration

(4) Self-built VPN series Part 4 Wireguard self-built VPN accidental unavailable full replay: from normal use → suddenly no handshake → port is blocked → port change + intelligent shunt complete solution process

(5) After deactivating self-built WireGuard from LetsVPN: Chengdu Mobile Broadband + Vultr Singapore node The measured network speed is very slow to review + pit dry goods

(6) Self-built WireGuard solution port is frequently blocked, the ultimate minimalist solution (nanny class can be reproduced)

(7) Wireguard handshake is normal but can’t open the network? Why do we have to CN2 GIA, with DMIT deployment & out of stock alternatives

(8) ZgoCloud + Wstunnel + Wireguard speed up 4 times, Clash Verge Rev automatically splits and 443 port anti-sealing actual combat

(9) Troubleshooting Transcript: Solve the DNS deadlock problem of “some websites cannot be accessed” under Clash Verge + Wstunnel + Wireguard

(10) ZGoCloud + Wstunnel + Clash Verge Rev under Ubuntu 26.04

(11) Under Ubuntu 26.04 Self-built VPN speed test report: ZgoCloud + Wstunnel + Wireguard solution experience and comparison guide

(12) zgocloud + wstunnel + flclash VPN configuration under android

(13) Complete troubleshooting and schema optimization for Google Play update exceptions on Android

(14) Thunderbird can’t send Gmail mail after self-built VPN: Cause and Solution

(15) Can’t update the Play Store app after self-built VPN? Don’t toss wstunnel, the problem is in the Clash diversion rules

(16) systemd user service 203/exec error troubleshooting: wstunnel self-starting configuration record

(17) Practical Guide to Stable Clash Verge Rev + WireGuard + Wstunnel Configuration (Part 1): Minimalist Principles and Initial Setup

(18) Clash Verge Rev + Wireguard + WSTunnel Stable Configuration Practice (2): Minimum Correction of DNS Contaminated by Google

(19) Help customers to remotely troubleshoot vultr Wireguard without handshake and cannot access the Internet problem (full record)

(20) Full check record from Thunderbird connection failure to switching to Gmail API client

(21) WSTUnnel + Ficlash Remote Troubleshooting full record under client android: from script creation to IP mismatch

(22) FLCLASH + WireGuard + WSTUnnel Stable Configuration Practice (3): Google Play download problem solving

(23) 🚀 Wireguard + Clash Verge Rev for domestic direct connection / foreign diversion (Vultr & ZgoCloud actual combat evolution version)

(24) 🚀 Clash Verge from 500MB to 200MB: Ubuntu VPN client lightweight optimization practice

Self-built WireGuard VPN The most troublesome problem:The UDP port fails every 2 days or so, the client has no last handshake time, and the ports such as 57586, 2096, and 443 are repeatedly replaced., tossing back and forth a lot of trouble.

The root cause: operator DPI deep packet detection, WireGuard native data packet features are fixed, no matter which separate UDP port to replace, it will be identified and periodically banned.

This article adopts the server-side iptables multi-port forwarding The simplest solution: do not change the native client of WireGuard, do not install confusion APP, do not toss the TCP tunnel, one configuration will take effect permanently, and only need to change the number of the client port in the future, and the novice will have zero tossing.

principle

1. Fix the WireGuard server listening port to 51820, never modify ;
2. VPS is forwarded through iptables for port segments: 20000~60000 all UDP ports, uniformly forwarded to this machine 51820;
3. The Vultr firewall only needs to release the port segment of 20000~60000, and does not need to add single-port rules one by one;
4. The computer and mobile client can freely choose any port in the interval. The port failure only needs to modify the client port, and there is no need to move the server or log in the vultr background.

Step 1: Modify WireGuard configuration, fixed listening port
Log in to vultr vps and edit the wg0 configuration file:

vi /etc/wireguard/wg0.conf

Find the configuration item:
listenport = original port (such as 2096, 57586)
Modified to:
listenport = 51820
Press ESC and enter :wq to save and exit. as shown in Figure 1

Step 2: Restart the WireGuard service to take effect

root@vultr:~# wg-quick down wg0
[#] ip link delete dev wg0
[#] iptables -D INPUT -p udp --dport 57586 -j ACCEPT
[#] iptables -D FORWARD -i enp1s0 -o wg0 -j ACCEPT
[#] iptables -D FORWARD -i wg0 -j ACCEPT
[#] iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE
[#] ip6tables -D FORWARD -i wg0 -j ACCEPT
[#] ip6tables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE
root@vultr:~# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.66.66.1/24 dev wg0
[#] ip -6 address add fd42:42:42::1/64 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -I INPUT -p udp --dport 57586 -j ACCEPT
[#] iptables -I FORWARD -i enp1s0 -o wg0 -j ACCEPT
[#] iptables -I FORWARD -i wg0 -j ACCEPT
[#] iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE
[#] ip6tables -I FORWARD -i wg0 -j ACCEPT
[#] ip6tables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE

Step 3: Verify that the listening port is in effect

root@vultr:~# wg show
interface: wg0
  public key: XZ2LNJxO7RqjGKHyubFw35eR7AkRa1iHqltQJYdsY3g=
  private key: (hidden)
  listening port: 51820

peer: QnBvrNGpbGs+9JxCgZvT16sVr1g735JMgWGFIdqmsz8=
  preshared key: (hidden)
  allowed ips: 10.66.66.2/32, fd42:42:42::2/128

peer: TX/hWjKXFoDyhQncE6M5DuC7d4DffzjJWHL+errBsTU=
  preshared key: (hidden)
  allowed ips: 10.66.66.3/32, fd42:42:42::3/128

Seeing the output Listening port: 51820 is the configuration success.

Step 4: VPS configuration iptables multi-port forwarding
Copy directly one by one:

# 将20000-60000所有UDP端口转发到WireGuard固定端口51820
root@vultr:~# sudo iptables -t nat -A PREROUTING -p udp --dport 20000:60000 -j REDIRECT --to-port 51820

# 安装iptables规则持久化工具
root@vultr:~# sudo apt install -y iptables-persistent
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
iptables-persistent is already the newest version (1.0.16).
0 upgraded, 0 newly installed, 0 to remove and 11 not upgraded.

# 保存规则，重启服务器不失效
root@vultr:~# sudo netfilter-persistent save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save

Step 5: vultr background firewall configuration (must do)

1. Log in to the vultr background, find the corresponding vps, and enter the firewall groups on the left;
2. Delete the original single UDP rules such as 57586, 2096, 443, etc.
3. Add a new firewall rule:

• Protocol: UDP
• Port Type: Port Range
• Port interval: 20000 – 60000
• Remarks: WireGuard multi-port split

1. Save the rules, no additional ports need to be added. as shown in Figure 2

Step 6: Client Configuration Usage Rules

1. The computer and mobile phone native WireGuard client do not need to reinstall, do not need to change other configurations;
2. Endpoint format: your VPS IP: any port within the interval
   Example:
   endpoint = 1.2.3.4:32567
3. Different ports can be used for multiple devices: 3xxxx for computers, 5xxxx for mobile phones, and no influence on each other online at the same time; as shown in Figure 3
   
4. When there is no handshake for the port failure: only modify the number of the client port, you can change it between 20000~60000, and the server and firewall do not need any changes.

Pit Optimization Suggestions

1. Do not use ports one by one in order (20001, 20002…), use random skip numbers to reduce the operator’s identification law;
2. Avoid 7 × 24 hours resident hang-up, and manually disconnect when idle (when I go to bed at night) to reduce the probability of risk control;
3. Fixed WireGuard listener port 51820, which will never be modified in the future;
4. It is only suitable for users who do not want to be confused and do not want to change the client.

Program summary
This is the easiest, zero additional software, and the ultimate compromise solution that does not change the client. One configuration is permanent, and the VPS and firewall configuration are frequently modified.