I have wireguard working well on port 51821. When I’m at my friend’s houses (for example) I’m able to connect just fine. However when I’m on any of Comcast’s Xfinity wifi hotspots the Wireguard tunnel doesn’t work.
I’m logged in as my Comcast user and I’m able to browse the internet in general, but it appears they’re blocking Wireguard traffic.
How should I go about debugging this to suss out if it’s based around certain ports, deep packet inspection, or actually not Comcast’s fault at all?
How clever are you with TCPdump or wire shark?
Set up two wireguard endpoints directly on the Internet. Run a continuous ping from one node to another. Then Using TCPdump/Wireshark filter for the ping and see verify that you can see the request and the response on each of the nodes.
Then try wireguard and verify you can see packets going between the two systems. If you don’t see packets going each way from each side, then Comcast is messing with you.
netcat
See if you can poke/prod from the Comcast/Xfinity WiFi to your server. You can poke/prod/test tcp vs. udp and try a few ports.
You may be able to wrap wireguard udp traffic in fake tcp packets, or hopefully just a different port number. You may also attempt to run wireguard on another ‘standard’ udp port like 53 for example.
What port is the Wireguard “server” running on?
I can confirm this with heavy testing.
Wireguard is blocked via (DPI) deep packet inspection. Changing the port to port 53, 80 or 443 does not resolve the issue. They’re able to distinguish if the traffic is Wireguard and actively block.
Sorry to revive an old post, has anyone found a solution for this?
I am facing exactly the same issue.
I have the following setup
To test the VPN, I connected one of Beryl device to Xfinity hotspot (one without password). I have no issues with using OpenVPN. I can access internal and external sites. However, with wireguard, I just can’t access anything
To rule out the configuration issues, I have connected my mobile to cellular data and used the wireguard client with the same configuration that I have used in the Beryl router. And this time, I can access both the internal and external sites using OpenVPN and Wireguard
Trying to keep this thread active because I have been able to confirm. All Comcast based connections block WireGuard protocol (not just the port and not just the UDP). Not only am I confused why they do this I also don’t understand why this isn’t out there among tech blogs/sites. It is an issue especially when Comcast is the ONLY access to the internet.
That’s actually something that could be useful for a project I am working on. Wrapping WG in TCP. May I ask how that is done easiest?
It also blocks PIA (Private Internet Access) if it’s set to use Wireguard instead of OpenVPN.
I’m also seeing this. Even using comcast modems in bridge mode to other routers, it seems that my laptops and phones can’t make outgoing wireguard connections. Very odd, and not sure why this would be blocked. I definitely haven’t seen this with other ISPs
Thanks for responding even after all this time. I haven’t needed to rely on Xfinity Wifi access points for a while so I haven’t thought about it but you’re absolutely right it feels crazy that this hasn’t been picked up yet.
This project should help : https://github.com/wangyu-/udp2raw
They show the use case with OpenVPN, but you should be able to adapt this for wireguard or other applications. The tricky part however is that you need something like this on both sides of the connection… This makes it difficult to implement on certain embedded devices, iPhones, etc. as you need support for this applet as well as wireguard.
There is your answer. Move it to 443.
Cool! My client is hosted by an OpenWrt router so that’ll be fine. I’ll give it a try thanks very much!