some file

WG Lockdown Extra Ports

When both peers use the double VPN, the wg0 interface is locked down to infrastructure-only traffic (ICMP, UDP/51830, TCP/51831). All application traffic is forced through the AES tunnel (aes0).

The WG Lockdown Extra Ports feature lets you open additional ports on wg0 for diagnostics or benchmarking tools that need to run directly on the WireGuard interface.

Traffic on extra lockdown ports bypasses AES encryption. It travels on wg0 only, not through the aes0 tunnel. Only use this for diagnostics, not production traffic.

Configuration

Add a WGLockdownExtraPorts array to the client config file (/etc/qufabric/config.json on Linux, %PROGRAMDATA%\QuFabric\config.json on Windows):

{
  "WGLockdownExtraPorts": [
    {"port": 5201, "proto": "tcp"}
  ]
}

Each entry specifies a port number and protocol ("tcp" or "udp"). To allow both TCP and UDP on the same port, add two entries:

{
  "WGLockdownExtraPorts": [
    {"port": 5201, "proto": "tcp"},
    {"port": 5201, "proto": "udp"}
  ]
}

After editing, restart the QuFabric daemon for changes to take effect.

Requirements

  • Both peers must configure the same extra port. Extra ports open inbound traffic on wg0. The initiating side's outbound traffic is handled by the stateful firewall (conntrack), but the receiving side needs the port configured.

  • Only "tcp" and "udp" protocols are supported. A maximum of 20 extra port entries is allowed.

  • The default (empty array or omitted field) preserves the standard lockdown behavior with no additional ports.

Example: iperf3 Benchmarking on WG

To benchmark WireGuard throughput between two AES-capable peers:

  1. Add {"port": 5201, "proto": "tcp"} to WGLockdownExtraPorts on both peers
  2. Restart the QuFabric daemon on both peers
  3. On the server peer: iperf3 -s -B <wg0-ip>
  4. On the client peer: iperf3 -c <server-wg0-ip>

To benchmark AES tunnel throughput instead, use the aes0 IP addresses — no extra lockdown port configuration is needed since AES traffic is governed by normal policies.

Security Considerations

  • Extra lockdown ports weaken the WG lockdown by allowing non-infrastructure traffic on wg0. The daemon logs a warning when extra ports are configured.
  • Extra ports apply to all non-AES-exempt peers, not individual peers. Opening TCP/5201 allows any AES-capable peer to reach that port on wg0.
  • The configuration is local to each client. The management server cannot push extra lockdown ports, preserving the trust boundary.
  • Remove extra ports after diagnostics are complete to restore the full lockdown.

Was this page helpful?

© Copyright 2026. All rights reserved.