OpenVPN Server on TCP Port Range

[David B]

Would it be possible for me to set up port forwarding on my router in such a way that I could use any TCP port to communicate with the OpenVPN server I run from my router? I have some TCP ports used for other services, but for those that are not used, could this be done?

 

[ColinTaylor]

The VPN server is running on the router not your LAN so port forwarding is not applicable. If you want the VPN server to listen on a different port just change it on the "VPN Details" page.

 

[David B]

I don't think you understand. I want the server to be accessible on two different ports.

 

[ColinTaylor]

I don't think you understand. I want the server to be accessible on two different ports.

Yes I'm not understanding this question .

Say your external IP address is 123.123.123.123. You would access your VPN server from the internet with 123.123.123.123:1194.

Are you saying that you want to also access it with for example 123.123.123.123:2222 ?

What would be the point of that?

 

[bird333]

Would it be possible for me to set up port forwarding on my router in such a way that I could use any TCP port to communicate with the OpenVPN server I run from my router? I have some TCP ports used for other services, but for those that are not used, could this be done?

Yes. Setup some pre-routing rules that point ports to your Openvpn port. For example

iptables -t nat -I PREROUTING -p tcp -d {your WAN IP} -m multiport --dports 10:18,64,1053 -j DNAT --to-destination :1194

You can have up to 15 ports with each rule. Ranges count as two ports. If you need more then you will have to create multiple rules.

 

[bird333]

Yes I'm not understanding this question .

Say your external IP address is 123.123.123.123. You would access your VPN server from the internet with 123.123.123.123:1194.

Are you saying that you want to also access it with for example 123.123.123.123:2222 ?

What would be the point of that?

If a certain port is blocked, he can try another without running multiple instances of Openvpn.

 

[sfx2000]

Would it be possible for me to set up port forwarding on my router in such a way that I could use any TCP port to communicate with the OpenVPN server I run from my router? I have some TCP ports used for other services, but for those that are not used, could this be done?

Easy to configure OpenVPN to use TCP for inbound - just be ready for bots to bang the heck out of the port (most choose either TPC/80 or TCP/443).

openvpn uses UDP by default - mainly because UDP is a pain to scan for....

 

[David B]

Yes. Setup some pre-routing rules that point ports to your Openvpn port. For example

iptables -t nat -I PREROUTING -p tcp -d {your WAN IP} -m multiport --dports 10:18,64,1053 -j DNAT --to-destination :1194

You can have up to 15 ports with each rule. Ranges count as two ports. If you need more then you will have to create multiple rules.

Thank you. Is the iptables command that you listed what the router does when you add rules?

If a certain port is blocked, he can try another without running multiple instances of Openvpn.

Exactly. I currently run three OpenVPN servers all on different ports. One is UDP, and the other two are TCP. I was just wondering if I could reduce the number of servers that I run from three to two while retaining the three ports that I use.

Easy to configure OpenVPN to use TCP for inbound - just be ready for bots to bang the heck out of the port (most choose either TPC/80 or TCP/443).

openvpn uses UDP by default - mainly because UDP is a pain to scan for....

What did you mean when you said "must choose either TCP/80 or TCP/443"? One of my servers runs on TCP 443, but the other one runs on a non-standard port.

 

[bird333]

Thank you. Is the iptables command that you listed what the router does when you add rules?

Yes. "-I" inserts rules at the top of the list and "-A" puts them at the bottom. You can also specify a position number you want your rule to be placed at. Iptables rules are executed top to bottom. First rule to match a given packet is the one the packet goes with. You sound like you are a novice with iptables so I suggest you read up on it a bit. From ssh/telnet command line you can execute "iptables -t nat -nvL" to see the list of rules currently in PREROUTING. Basically the rule above says "packets destined for your WAN with the tcp protocol that are coming in on ports 10 through 18, port 64, or port 1053 change the port to 1194". This happens before normal routing rules are done, so it looks like your connection was initially coming in on port 1194 which is the default Openvpn port. Of course change it to match whatever port your Openvpn server is listening on.

 

[sfx2000]

What did you mean when you said "must choose either TCP/80 or TCP/443"? One of my servers runs on TCP 443, but the other one runs on a non-standard port.

Can pretty much choose any port desired, as long as it is free - many use TCP/80 and/or TCP/443 if they're behind corporate or other firewalls.

Getting back to UDP as a default being preferred - it takes a lot more time to scan for UDP ports by the multiple port scanner utilities, so using UDP can help out a bit, and using UDP on a n0n-standard port can be useful...

 

[David B]

Yes. "-I" inserts rules at the top of the list and "-A" puts them at the bottom. You can also specify a position number you want your rule to be placed at. Iptables rules are executed top to bottom. First rule to match a given packet is the one the packet goes with. You sound like you are a novice with iptables so I suggest you read up on it a bit. From ssh/telnet command line you can execute "iptables -t nat -nvL" to see the list of rules currently in PREROUTING. Basically the rule above says "packets destined for your WAN with the tcp protocol that are coming in on ports 10 through 18, port 64, or port 1053 change the port to 1194". This happens before normal routing rules are done, so it looks like your connection was initially coming in on port 1194 which is the default Openvpn port. Of course change it to match whatever port your Openvpn server is listening on.

Your assumption about my knowledge of iptables is correct. I have never worked with them before. I have always relied on my router to handle them for me. Thank you for the information.

Can pretty much choose any port desired, as long as it is free - many use TCP/80 and/or TCP/443 if they're behind corporate or other firewalls.

Getting back to UDP as a default being preferred - it takes a lot more time to scan for UDP ports by the multiple port scanner utilities, so using UDP can help out a bit, and using UDP on a n0n-standard port can be useful...

Okay. Thank you. I am running the UDP server on 1194, so I suppose I should look in to moving it. As for the TCP servers, one is running on TCP 443 to get around networks that only allow HTTP and HTTPS traffic, and the other one is running on a nonstandard port for a particular network that I frequently use that blocks all traffic except for one port.

 

[bird333]

Your assumption about my knowledge of iptables is correct. I have never worked with them before. I have always relied on my router to handle them for me. Thank you for the information.


Okay. Thank you. I am running the UDP server on 1194, so I suppose I should look in to moving it. As for the TCP servers, one is running on TCP 443 to get around networks that only allow HTTP and HTTPS traffic, and the other one is running on a nonstandard port for a particular network that I frequently use that blocks all traffic except for one port.

If you implement the PREROUTING rule you should only really have to run two servers. One for UDP and one for TCP.

 

[David B]

If you implement the PREROUTING rule you should only really have to run two servers. One for UDP and one for TCP.

I've actually modified my setup to do just that. I run the UDP server from my NAS drive, and the two TCP server, both of which were running on my router, have been cut down to one, and I added a port forwarding rule that forwards all incoming TCP traffic that used to be handled by the second TCP server to the first TCP server. I didn't do it using iptables because my router allowed me to add a rule to forward the traffic to itself on a different port, but I still want to learn how to work with iptables.