But it only needs to be accessible on the port WireGuard uses for communications, and WireGuard also has a nice property where it acts passively for non-wireguard packets.
So someone on the internet doesn't necessarily know the node is reachable from the internet if they try and scan it for example.
Edit: IIRC only one end of the connection needs a stable endpoint as well. IIRC WireGuard supports mobility (changing IP addresses) for one end of the connection.
So someone on the internet doesn't necessarily know the node is reachable from the internet if they try and scan it for example.
Edit: IIRC only one end of the connection needs a stable endpoint as well. IIRC WireGuard supports mobility (changing IP addresses) for one end of the connection.