[bogomipz]

>"Open the WireGuard port to the Internet (don't worry, it's invisible)"

Thanks. Can you elaborate on how it's invisible? I was looking at the docs and it looks like it defaults to UDP port 51820. Certainly that's visible no?

[detaro]

Wireguard does not reply to invalid connection attempts that don't have an authorized key, so it depends on what your system does for closed ports. If it (as often default) responds with an ICMP message, then the lack of such response will reveal that there is something there, whereas if your default is to silently drop packets to closed UDP ports it can't really be detected.

[MajesticHobo2]

Since a WireGuard peer only responds to cryptographically authenticated packets and UDP is connectionless — you don't get confirmation at the transport layer by way of a handshake or anything — WireGuard ports are invisible to you unless you own a private key whose corresponding public key is already approved by the peer.