wireguard as server on windows ignores and bypasses firewall settings

[comsyspro]

i found out that wireguard completely ignores the firewall settings as a vpn server on windows and always lets the wireguard port going through. even if you explicitly block udp port 51820, you can still establish a vpn connection from the client. i've only seen this strange behavior on windows. with linux, you first have to allow the udp port 51280, as it should be. does anyone have an explanation? how is it possible that wirguard for windows can bypass completely the firewall?

wirguard for windows download link: https://download.wireguard.com/windows-client/

server config example:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = ADzsfcvkxqtLH4WJF6CXsotWoocRe6OIBS9rgSsFhEo=

[Peer]
PublicKey = 3+LpVsgI5GGrL7sHaZiss066LppUQR/ymZMy7GkflFE=
AllowedIPs = 10.0.0.2/32

client config example:

[Interface]
Address = 10.0.0.2/24
ListenPort = 51820
PrivateKey = eGf4guGcxxb6euA1ukLQXF/MCi6ENmMQK01t4sZki0M=

[Peer]
PublicKey = 1bt2lbgGlBSaXHg8kZPCJkRSl+QA8W9cYU1teijFdQQ=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <any_ip>:51820

[micahmo]

Hey @comsyspro I'll admit I don't know a ton about Windows Firewall. or how custom network adapters interact (although I would think it's just the WireGuard server application listening on that port, shouldn't be anything special). Just looking through the rule options, a few (probably obvious) questions come to mind.

1. Did you make an inbound rule?
2. Did you pick 51820 as the local port and "All" for remote?
3. Did you select all profiles (or at least the one that matches your WG interface, most likely Private)?

I'm sure the answer is yes to all, so I'm not sure how helpful that is. I'd be interested to hear if the community has any other ideas.

[comsyspro]

you can make following experiment. when you remove all incoming rules in the windows firewall - so nothing can come in and all traffic is blocked - and than you start wireguard as a vpn server with any port e.g. 51820 then it is still possible to connect clients to this server. so i can't understand how and why this can be possible to bypass the firewall. the normal behavior would be to first open the udp port for e.g. 51820 before anything can go through. but it seems that the traffic of wireguard for windows goes somehow not through the firewall but passes. on linux it works like it should. it makes no difference if you have a private or public wireguard networkinterface, the firewall gets passed. normally this should not be a security hole because you need to open the wireguard port to the public either way but it feels unnormal when you can't control it and you don't know what happens under the hood or what's going wrong in the windows firewall.

[micahmo]

I agree, it absolutely feels like a security hole. It shouldn't matter if a application to can bind to a port directly if it's blocked by the firewall. Is there anything else out there about this? I wonder if you discovered a CVE. 🤔 Unless we're missing something.

[comsyspro]

i haven't found any infos about that. here is a list of known cve: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireguard

perhaps it make sense to contact the developers of wireguard windows client. will you contact them too?

[Dexious]

I have a similar issue in regards the Windows Firewall. Even if I implement a Firewall rule (on the Windows Server that hosts Wireguard) that blocks ALL outgoing traffic, the Wireguard clients can still reach out to the network. Any ideas what might be the issue or how we can control Wireguard clients that under Windows NAT?