Hi everyone

We've got a question using wireguard VPN on Mikrotiks devices: all wireguard client (windows client, android client, iOS client), as should be, when enstablishing a connection to a server, on each connection, use a random port if not specified into configuration (i.e. 63856, 56143, etc...).
But on Mikrotik we see that the port used as listen port is the configured one into the Wireguard peer "server" used to generate the key
So due to because the default port is 13231 usually all our mikrotik client connected to our server are exiting from the port 13231 as we can see in connection:



But with this configuration, the mikrotiks router that should be "client" works also as "server", with listening port 13231
Mostly of our mikrotiks router are in DMZ so if we configure a client I would like that that device is just client and not server.

Nobody never issued this question?

Your understanding is funny??

Lets say we have one MIkrotik Router that is the SERVER for all initial handshakes and has
a. either a public IP assigned by the ISP ( publicly accessible)
OR
b. the ISP router/modem upstream can forward ports to your MT router
+++++++++++++++++++++++++++++
This is the only Device that needs a functioning Listening port !!
The listening port for any device acting as a server for handshake, should never be set to default so use something like 14567
You will need an input chain rule protocol=udp on this Router to accept incoming handshakes.
++++++++++++++++++++++++++++++

All other devices, clients reaching out to connect to the server for the handshake can
a. leave their default listening port to 13231 ( it is not used )
b. do not require an input chain rule for handshake ( but will for admin access to configure a router perhaps )
c. on their peer settings for the router indicate the WANIP (endpoint address) either a static IP or a dynamic IP by using a dyndns name or the ip cloud name on MT.
d. on their peer settings for the router indicate the endpoint port which should be 14567

I hope that answers your question!
ONE PORT to ONE WIREGUARD INTERFACE.

Something different to consider if you wish to separate ALL incoming WIREGUARD USERS into different subnet schema you can.

For example all mobile clients that are not the admin 10.10.10.0/24
For Client Router users to visit Server Router and vice versa traffic ( lan subnet to lan subnet traffic ) 10.20.10.0/24
For Admin traffic only 10.20.30.0/24

On the server router one would have three IP addresses associated with the one wireguard interface ( remember one port per interface .
Useful if you have many users and it may be easier to set up firewall rules in this regard.

I probably didn't explain myself well; let me try to clarify what I mean.

A WireGuard client installed on Windows, Android, or iOS, when establishing a connection to a WireGuard "server," initiates a connection to the server's port. This connection has a source port and a destination port. The destination port is, of course, the one in use on the server's peer, while the source port (outgoing from the client) is chosen randomly. This can be observed, for example, in the Windows client, which displays the port in use as "outgoing" to the user, as seen in the screenshot below:




In both photos the red arrow indicates the source port and the blu arrow the destination port in two different connection on my windows client.
The port is random because we not indicate a "ListenPort" parameter into peer configuration, but if we want we can indicate as in this screenshot:



Doing this the source port from our client is "12345"

Said this, the question is: in Mikrotik device we set up an wireguard interface as well to obtain the public key of the client and then we set up the peer parameter. This port indicates in by the blu arrow in the following screenshot is used by mikrotik as "source port" when enstablish a connection to a server:



But that port is also used by mikrotik and is in listen if someone wanna try to connect to. Surely there are not peer etc so connection cannot be enstablished, but we are asking why of this behaviour. Also because mikrotik (that should be just a wireguard client) tipically is in DMZ and this means that its 13231 port is exposed to the public IP.
We tried and in fact a mikrotik that should be used only as "client" (in our mind) in fact is also a server and can provide connection to client if a peer is configured.

Hope this can help explain what I mean

Covered already
All other devices, clients reaching out to connect to the server for the handshake can
a. leave their default listening port to 13231 ( it is not used )
b. do not require an input chain rule for handshake ( but will for admin access to configure a router perhaps )
c. on their peer settings for the router indicate the WANIP (endpoint address) either a static IP or a dynamic IP by using a dyndns name or the ip cloud name on MT.
d. on their peer settings for the router indicate the endpoint port which should be 14567

In other words, you can 3 million listening ports setup on the router but if there is no
a. input chain rule to allow the router services to receive traffic
OR
b. forward chain rule to allow port forwarding and DSTNAT Rule to bring the incoming to a specific server..........

There is no access!

I fully agree with what you've said. We were just wondering if the behavior was indeed like this or if we misunderstood something. That said, thanks for the responses; as far as I'm concerned, the 3D can be closed.

some light reading........... https://www.wireguard.com/protocol/