Setting Up Port Forwarding

Port forwarding allows external traffic from the internet to reach a specific device connected to your WireGuard server. This is essential for hosting game servers, running web services, accepting incoming connections for remote access, or any application that requires inbound traffic.

How Port Forwarding Works

When you create a port forward, three things happen on your server:

Inbound traffic arriving at your server's public IP on the specified external port is redirected to your WireGuard device's internal IP.
Return traffic from your device is masqueraded so it routes back correctly.
Firewall rules are updated to allow the traffic through.

For example, if your server's public IP is 203.0.113.10 and your WireGuard device has internal IP 10.66.66.2, a port forward from external port 25565 to internal port 25565 means anyone connecting to 203.0.113.10:25565 will reach your device.

Prerequisites

You must create a WireGuard user before you can add port forwards. Port forwards are always attached to a specific user, because the traffic needs to know which device to reach.

Adding a Port Forward

Go to WireGuard Servers → Manage Server.
Find the user you want to add a port forward for.
Click the "Port Forwards" button to expand the port forwarding section.
Fill in the fields:
- External Port — The port on your server's public IP that incoming traffic will use. This is what other people connect to.
- Internal Port — The port on your device that your service is listening on. Often this is the same as the external port, but it does not have to be.
- Protocol — Choose TCP, UDP, or Both depending on what your service requires.
Click "Add Forward".

The rule is applied immediately to the server via iptables and persisted across reboots.

Choosing the Right Protocol

Service	Protocol
Minecraft server	TCP
Valheim, ARK	UDP
Web server (HTTP/HTTPS)	TCP
TeamSpeak / Mumble	Both
OpenVPN	UDP
SSH / Remote Desktop	TCP
Game servers (most)	Both (if unsure)

If you are not sure which protocol your service needs, choose "Both" to cover TCP and UDP.

Removing a Port Forward

Click "Remove" next to any active port forward. The iptables rules are removed from the server immediately.

Blocked Ports

For security reasons, the following ports cannot be forwarded:

Port 22 — SSH access to the server (reserved for administration)
Port 51820 — WireGuard service port (or whatever port your server uses)
Port 56561 — Reserved for internal management

Attempting to forward a blocked port will show an error.

Port Conflicts

Each external port can only be used once per server. If you try to forward an external port that is already in use by another user or another rule, you will see an error. The internal port can be reused across different users since each device has its own internal IP.

Common Use Cases

Hosting a Minecraft Server

External Port: 25565
Internal Port: 25565
Protocol: TCP
Tell players to connect to: your-server-ip:25565

Hosting a Valheim Server

External Port: 2456
Internal Port: 2456
Protocol: UDP
Also forward port 2457 (UDP) for the query port

Web Server

External Port: 80 (HTTP) and 443 (HTTPS)
Internal Port: 80 and 443
Protocol: TCP

Remote Desktop (RDP)

External Port: 3389 (or a custom port for security)
Internal Port: 3389
Protocol: TCP

FAQs

Do port forwards survive server reboots?

Yes. All iptables rules are automatically saved and restored on reboot.

Can I forward the same external port to multiple devices?

No. Each external port can only point to one destination. Use different external ports for different devices.

Is there a limit on how many port forwards I can have?

There is no hard limit. You can create as many port forwards as you need.

I removed a user but the port forward still seems active. What happened?

When you remove a user, all their port forwards are automatically removed as well. If you are still seeing traffic, clear your DNS cache and wait a moment for the changes to propagate.