PiVPN: change the port after installation/configuration

cdsw · June 6, 2024, 5:53pm

So I once set up pivpn (Wireguard) on my raspberry pi 2 via dietpi (Debian).

I followed a guide (which I can’t find anymore). In that guide I should open the port 9063 on my router (FRITZ!Box).

All worked like a charm for 3+ years. Never had to touch anything.

Now last week I changed my ISP and pivpn (Wireguard) stopped working.

So I looked in my port forwarding of my router and saw that my new ISP does not support the chosen pivpn port 9063 anymore

It now has to be a port from the range: 9708-9727

Is there a hassle free way to change now my pivpn setup without generating new Wireguard codes or reinstall everything?

If yes what do I need to change?

Joulinar · June 6, 2024, 7:03pm

Why are you choosing such a port? Was it not possible to forward port 51820? At least I can do that on my Fritzbox.

Anyway nothing need to be changed on server side I guess. Open the port configuration on your Fritzbox and verify settings. Usually it should have 2 ports for PiVPN. An external and an internal one. The internal one is still the Wireguard default, hopefully. Therefore nothing changed there. On the external side, you will get a new one. This change can be done on client side manually. Just open the client app and edit your client configuration file to fit to the new port. That’s all.

cdsw · June 6, 2024, 7:20pm

Im also getting more and more confused. I don’t know where the internal port 9063 comes from? I didn’t choose it. I checked the Wireguard config file and the Wireguard debug log and it also shows there the standard 58120 external port.

And if you see above first screenshot the error comes with internal v4 port 9063. not the external ip6 51820 port (which is also in port forward)?

So 51820 is in Wireguard config file and in the port forward

Joulinar · June 6, 2024, 7:48pm

Don’t mix up thinks. Let’s focus on IPv4. Forget about IPv6.

Have a look at your client (not on the server,). Open the Wireguard app on your mobile device and check the port configured there.

cdsw · June 7, 2024, 4:41am

If I am now not mistaken, the Wireguard config file for my client (iPhone) gave me a port 51820

Joulinar · June 7, 2024, 4:53am

In this case set the same as external IPv4 port on your Fritzbox

cdsw · June 7, 2024, 5:17am

Tha my PiVPN debug log. i only changed some clients name to keep privacy

As i read the debug log the Server is configured to the port 51820

root@DietPi:~# pivpn debug
::: Generating Debug Output
::::            PiVPN debug              ::::
=============================================
::::            Latest commit            ::::
Branch: master
Commit: ab1fe203992dc0ef586644efb12488b876ed9555
Author: 4s3ti
Date: Sat Oct 8 02:39:53 2022 +0200
Summary: fix(ufw): set missing openvpn ipv6 variables
=============================================
::::        Installation settings        ::::
PLAT=Debian
OSCN=bullseye
USING_UFW=0
IPv4dev=eth0
IPv6dev=eth0
IPv4addr=192.168.178.162/24
IPv4gw=192.168.178.1
install_user=dietpi
install_home=/home/dietpi
VPN=wireguard
pivpnPORT=51820
pivpnDNS1=8.8.8.8
pivpnDNS2=8.8.4.4
pivpnHOST=REDACTED
INPUT_CHAIN_EDITED=0
FORWARD_CHAIN_EDITED=0
INPUT_CHAIN_EDITEDv6=0
FORWARD_CHAIN_EDITEDv6=0
pivpnPROTO=udp
pivpnMTU=1420
pivpnDEV=wg0
pivpnNET=10.145.205.0
subnetClass=24
pivpnenableipv6=1
pivpnNETv6="fd11:5ee:bad:c0de::"
subnetClassv6=64
ALLOWED_IPS="0.0.0.0/0, ::0/0"
INSTALLED_PACKAGES=(dhcpcd5 wireguard-tools qrencode)
=============================================
::::  Server configuration shown below   ::::
[Interface]
PrivateKey = server_priv
Address = 10.145.205.1/24,fd11:5ee:bad:c0de::1/64
MTU = 1420
ListenPort = 51820
### begin Client01pivpn ###
[Peer]
PublicKey = Client01pivpn_pub
PresharedKey = Client01pivpn_psk
AllowedIPs = 10.145.205.2/32,fd11:5ee:bad:c0de::2/128
### end Client01pivpn ###
### begin asusClient01pivpn ###
[Peer]
PublicKey = asusClient01pivpn_pub
PresharedKey = asusClient01pivpn_psk
AllowedIPs = 10.145.205.3/32,fd11:5ee:bad:c0de::3/128
### end asusClient01pivpn ###
### begin shieldpivpn ###
[Peer]
PublicKey = shieldpivpn_pub
PresharedKey = shieldpivpn_psk
AllowedIPs = 10.145.205.4/32,fd11:5ee:bad:c0de::4/128
### end shieldpivpn ###
=============================================
::::  Client configuration shown below   ::::
[Interface]
PrivateKey = Client01pivpn_priv
Address = 10.145.205.2/24,fd11:5ee:bad:c0de::2/64
DNS = 8.8.8.8, 8.8.4.4

[Peer]
PublicKey = server_pub
PresharedKey = Client01pivpn_psk
Endpoint = REDACTED:51820
AllowedIPs = 0.0.0.0/0, ::0/0
=============================================
::::    Recursive list of files in       ::::
::::    /etc/wireguard shown below       ::::
/etc/wireguard:
configs
keys
wg0.conf

/etc/wireguard/configs:
asusClient01pivpn.conf
clients.txt
Client01pivpn.conf
shieldpivpn.conf

/etc/wireguard/keys:
asusClient01pivpn_priv
asusClient01pivpn_psk
asusClient01pivpn_pub
Client01pivpn_priv
Client01pivpn_psk
Client01pivpn_pub
server_priv
server_pub
shieldpivpn_priv
shieldpivpn_psk
shieldpivpn_pub
=============================================
::::            Self check               ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] WireGuard is running
:: [OK] WireGuard is enabled
(it will automatically start on reboot)
:: [OK] WireGuard is listening on port 51820/udp
=============================================
:::: Having trouble connecting? Take a look at the FAQ:
:::: https://docs.pivpn.io/faq
=============================================
:::: WARNING: This script should have automatically masked sensitive       ::::
:::: information, however, still make sure that PrivateKey, PublicKey      ::::
:::: and PresharedKey are masked before reporting an issue. An example key ::::
:::: that you should NOT see in this log looks like this:                  ::::
:::: YIAoJVsdIeyvXfGGDDadHh6AxsMRymZTnnzZoAb9cxRe                          ::::
=============================================
::::            Debug complete           ::::
:::
::: Debug output completed above.
::: Copy saved to /tmp/debug.log

My Port Forwarding in my fritzbox. (worked until last week, when i changed my ISP)

if i try to edit this entry:

I use DDNS from no-ip to always be connected to my wireguard server, even when my ip address change

When i click on “1” to edit it says that external port is 51820 (At “2”). But its read and says in german that i should use a port in the allowed port range of my new ISP (9708-9727).

So i assume i would need to change in the port forwarding the port from 51820 to something else?
but also my pivpn (see debug log) is configured to 51280, so i also need to change there something to match the new port from the range.
and then change all wireguard client configs to the new ports as well

Joulinar · June 7, 2024, 5:45am

Wtf your ISP is reducing ports.

Anyway select one of these external ports and change to the same on your client. No need to change internal ports or server configuration

cdsw · June 7, 2024, 5:59am

i have no idea, why my ISP is reducing ports. all went rock solid before. after ISP change it wasnt working anymore.

changed port forward in my fritzbox router (the red marked part) to 9708 and in all wireguard clients the endpoint address to 9708 as well

→ It worked!

thanks (again) for you tech support. you are a legend

system · September 5, 2024, 5:59am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.