1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Changing OpenVPN Server port number backfires

Discussion in 'Asuswrt-Merlin' started by martinr, Jun 15, 2019.

  1. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,051
    Location:
    United Kingdom
    To counter opportunistic probes of common ports, for years my SSH port has been at the high end of the Registered port range,1024-49151 (instead of port 22), and I’ve never had a single problem.


    More recently, and for the same reasons, I moved the OpenVPN Server port from 1194 to a number also at the high end of the Registered range, say, 44567. No problems until yesterday when the server stopped working. (And, although my second server was running, I wasn’t able to connect; fortunately, I was at home.). The logfile stated: “errno99: cannot assign requested address “ and then the public IP address was listed along with the port number 44567. A search led me to believe I’d had a collision on that port: some other process, by chance, happened to be using it.


    I thought, serves me right: I should have picked a port in the Dynamic or Private port range (49152-65535). At least, I did think that till I did some digging

    https://stackoverflow.com/questions...or-in-house-application-use/38141340#38141340

    after which, more confused, I thought perhaps it was right after all to use a Registered port number after all, and that the Private/Dynamic port range (>49152) should be left alone.


    But one item in that link caught my eye:


    On the opposite, take a port already assigned to something you're sure won't ever get needed. For example, TCP 31457 is assigned to TetriNET, so it's a pretty sure bet (unless your business is multiplayer tetris). maaartinusAug 20 '18 at 18:17”


    And, that strikes me as quite a good idea.


    But before I do anything, I thought I’d seek people’s comments not only on that suggestion but also on the rest of this post.
     
    Last edited: Jun 15, 2019
    L&LD likes this.
  2. bbunge

    bbunge Very Senior Member

    Joined:
    Aug 11, 2014
    Messages:
    944
    Location:
    Pennsylvania USA
    I use a four digit registered port that is listed for a game or service I will never use. The port I chose is listed to use TCP but I use UDP for OVPN. Works well for me!

    Sent from my SM-T380 using Tapatalk
     
    martinr likes this.
  3. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,863
    Location:
    UK
    I think your original logic was sound. The objective is to not use any of the Ephemeral ports. But as we can see from the wiki entry, just what is used as the ephemeral port range varies depending on client device.

    IMHO ephemeral ports should be 49152 to 65535 as per the IANA. This is what Windows currently uses. But if you log onto the router and go to System Log > Active Connections you can some devices using lower numbers. In my case the ports were from about 33000 upwards and the devices in question were Android phones and smart TVs. This ties up with the wiki entry that says "Many Linux kernels use the port range 32768 to 61000".

    So I would say you should avoid anything above 32767, or less than 5001 (the old BSD and XP range).
     
    L&LD, umarmung, dave14305 and 2 others like this.
  4. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,051
    Location:
    United Kingdom
    Thank you, Colin. Yes, I did indeed notice that in the active connections; I’m glad you mentioned it, because I thought I was beginning to understand it until I looked there.

    Thanks for that great advice: I’ll stick to the range >5000 and <32767 and look for ports in that range assigned to video games etc as bbunge did. I’ll also reassign my SSH port. I can then relax knowing that the chances of another collision will be one in every ten-to-the-power 29 years.

    Yet another very useful little learning exercise. Thanks.
     
    L&LD likes this.
  5. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,863
    Location:
    UK
    A learning exercise for myself as well. I just assumed that everything used the IANA range nowadays. Obviously not. I'm somewhat surprised at Linux's non-compliance with IANA, as can be seen on the router itself:
    Code:
    [email protected]:/# cat /proc/sys/net/ipv4/ip_local_port_range
    32768   61000
     
    L&LD and martinr like this.
  6. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,051
    Location:
    United Kingdom
    Does that means we could also safely use ports between 61001 and 65535 to both frustrate opportunistic probing and reduce the collision rate to one every ten-to-the-power 35 years? (Except Asus could always change that in the future, I guess.)
     
  7. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,863
    Location:
    UK
    Not really. I'm still seeing ports being opened on the router from Windows' clients on the LAN that are higher than 61000. The 32768-61000 range mentioned previously would only apply to things running on the router itself.
     
    Last edited: Jun 15, 2019
    L&LD and martinr like this.
  8. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,051
    Location:
    United Kingdom
    Of course. Many thanks.
     
    L&LD likes this.