Difenn Server (v4-difenn / CT2914)¶

Manual Service - UDP Relay Architecture

Difenn uses UDP port forwarding via Docker relay, NOT Traefik. The service is accessible via WireGuard tunnel with gateway devices (e.g., XE300) connecting over internet or LTE.

Overview¶

Property	Value
Domain	`wg.trevarn.com`
Public IP	51.68.235.106 (hub2)
Protocol	UDP + WireGuard
Ports	51820 (primary), 443 (LTE fallback)
Backend	CT 2914 (v4-difenn) on px3
Backend IP	10.44.1.214
Backend Port	51820
WireGuard Interface	wg0
VPN Subnet	10.200.0.0/24

Architecture¶

XE300 Gateway (Internet/LTE)
        │
        ▼ UDP 51820 or 443
wg.trevarn.com (51.68.235.106)
        │
        ▼ socat relay (host networking)
        │
        ├─ difenn-relay:   UDP 51820 → 10.44.1.214:51820
        └─ difenn-relay-443: UDP 443 → 10.44.1.214:51820
        │
        ▼ WireGuard VPN (wg-uk interface)
        │
        ▼
v4-difenn Server (10.44.1.214:51820)
    CT 2914 on px3-suzuka
    Interface: wg0
    Subnet: 10.200.0.0/24

Why This Architecture¶

UDP, not HTTP/HTTPS - Traefik handles HTTP; UDP requires special handling
WireGuard for encryption - Raw UDP packets encrypted by WireGuard protocol
WireGuard VPN tunnel - v4-difenn is reachable via hub2's WireGuard to UK homelab
Dual port relay - Port 51820 (standard) + port 443 (for carriers that block 51820)
LTE fallback - XE300 can use LTE when ethernet unavailable (with PersistentKeepalive)

Configuration¶

Docker Services¶

Defined in /opt/charliehub/docker-compose.yml:

# Primary relay on UDP 51820
difenn-relay:
  image: alpine/socat@sha256:bc594e71d11b26533716932ee6bfccdc2499d9e7e4924eb423fbd6b5e7c40933
  container_name: charliehub_difenn_relay
  restart: unless-stopped
  network_mode: host
  command: UDP-LISTEN:51820,fork,reuseaddr UDP:${DIFENN_IP}:${DIFENN_PORT}
  labels:
    - "traefik.enable=false"

# LTE fallback relay on UDP 443
difenn-relay-443:
  image: alpine/socat@sha256:bc594e71d11b26533716932ee6bfccdc2499d9e7e4924eb423fbd6b5e7c40933
  container_name: charliehub_difenn_relay_443
  restart: unless-stopped
  network_mode: host
  command: UDP-LISTEN:443,fork,reuseaddr UDP:${DIFENN_IP}:${DIFENN_PORT}
  labels:
    - "traefik.enable=false"

Environment Variables¶

In /opt/charliehub/.env:

# Difenn Relay (via WireGuard to CT 2914)
DIFENN_IP=10.44.1.214
DIFENN_PORT=51820

UFW Rules¶

UDP ports allowed through firewall:

sudo ufw status | grep difenn
# 51820/udp   ALLOW   Anywhere   # Difenn WireGuard relay for CT2914
# 443/udp     ALLOW   Anywhere   # Difenn WireGuard relay for LTE (port 443)

DNS Record¶

wg.trevarn.com resolves to hub2's public IP:

dig wg.trevarn.com
# wg.trevarn.com.  300  IN  A  51.68.235.106

WireGuard Configuration on v4-difenn¶

Server-Side Interface (CT2914)¶

Location: /etc/wireguard/wg0.conf

[Interface]
PrivateKey = eOdtVDpH5THQTqJdalV0QOgIVtXtOTWmH7S9kVtSQG0=
Address = 10.200.0.1/24
ListenPort = 51820

# XE300 Gateway Peer
[Peer]
PublicKey = RarBdP92ddU4qRczeLWa35AR81RLho5zEERRvR/LNUA=
AllowedIPs = 10.200.0.2/32
PersistentKeepalive = 25

Key Points: - ListenPort = 51820 - Matches the relay port - PersistentKeepalive = 25 - CRITICAL for CGNAT/LTE - sends keepalive every 25 seconds to keep NAT hole open - AllowedIPs restricted to peer's VPN IP only (no homelab subnet routing)

Client Configuration (XE300 Gateway)¶

WireGuard Interface (wg_difenn)¶

Configuration: UCI or directly via wg commands

# View current config
wg show wg_difenn

# Update endpoint (use port 443 if 51820 is blocked by carrier)
wg set wg_difenn peer <PUBLIC_KEY> endpoint wg.trevarn.com:51820
# or for LTE fallback:
wg set wg_difenn peer <PUBLIC_KEY> endpoint wg.trevarn.com:443

# Verify PersistentKeepalive is set
wg show wg_difenn
# Should show: persistent keepalive: every 25 seconds

Expected Status¶

$ wg show wg_difenn

interface: wg_difenn
  public key: RarBdP92ddU4qRczeLWa35AR81RLho5zEERRvR/LNUA=
  private key: (hidden)
  listening port: 52576

peer: 2017spmmJjmrSgD+9WUeRPE9ihrG2jonVmjfVxW2XCI=
  endpoint: 51.68.235.106:51820              # or :443 for LTE
  allowed ips: 10.200.0.0/24
  transfer: 156 B received, 180 B sent
  persistent keepalive: every 25 seconds     # MUST be present for LTE!

Connectivity Verification¶

From XE300¶

# Check WireGuard status
wg show wg_difenn

# Verify tunnel is active (look for recent "latest handshake")
ping -c 3 10.200.0.1  # Server's VPN IP

# Test over LTE (disconnect ethernet first)
ip link set eth1 down
ping 10.200.0.1        # Should work with PersistentKeepalive

From v4-difenn Server¶

# Via SSH to px3
ssh px3 "pct exec 2914 -- wg show wg0"

# Should show active handshake and correct endpoint IP

From hub2¶

# Via socat relay
sudo ss -ulnp | grep 51820
# UNCONN 0 0 0.0.0.0:51820 0.0.0.0:* users:(("socat",pid=1234,fd=5))

# Monitor relay traffic
sudo tcpdump -i any udp port 51820 -n

Troubleshooting¶

No Connectivity on Ethernet (eth1)¶

Symptom: ping 10.200.0.1 fails even though WireGuard interface is UP

Diagnosis:

wg show wg_difenn
# Check: latest handshake should be recent (within seconds)
# If "never": packets not reaching server

Solutions: 1. Verify wg.trevarn.com resolves correctly: nslookup wg.trevarn.com 2. Test socat relay: ssh hub2 "sudo ss -ulnp | grep 51820" 3. Check UFW rule: sudo ufw status | grep 51820 4. Verify WireGuard is running on v4-difenn: ssh px3 "pct exec 2914 -- wg show wg0"

No Connectivity on LTE (wwan0)¶

Symptom: Works over ethernet, fails on LTE

Causes: 1. Missing PersistentKeepalive - NAT mapping closes after inactivity

wg show wg_difenn | grep "persistent keepalive"
# MUST show: persistent keepalive: every 25 seconds

Carrier blocking port 51820 - Try port 443 fallback

wg set wg_difenn peer <KEY> endpoint wg.trevarn.com:443
ping 10.200.0.1

No LTE connectivity - Check modem

ping 10.192.188.233  # LTE gateway
cat /sys/class/net/wwan0/carrier  # Should be 1 (active)

CGNAT preventing return traffic - Verify persistent keepalive is active

wg show wg_difenn
# Latest handshake should update every 25 seconds

Slow Latency¶

Expected: 40-50ms from XE300 to server If higher: Check path

traceroute 10.200.0.1
# Should show hub2 gateway in path

WireGuard VPN - Site-to-site VPN configuration
GMC Server - Similar relay architecture for GMC
hub2 Services - Central hub services overview
Network Layout - IP addressing and architecture