GT-BE98 PRO and OpenVPN server on port 443

[Alaska99]

With my old RT-AX88U router and Merlin firmware, I configured my OpenVPN server on port 443 because it was the only one that was open on the public networks that I use when traveling. Now with my new GT-BE98 pro router I can no longer enter anything as a port lower than 1024.

However in the GUI configuration page, there is a message which says that Asus "suggests" to use a port higher than 1024. In this case, they should rather write "required"!! If it really is a suggestion we should still be able to choose a port lower than 1024...

Is there a way to force port 443? Perhaps by connecting via SSH we can modify a config file?

In short, I'm starting to be quite disappointed with this useless router and I may finally return it...

 

[bbunge]

You could try port 8080, 8443 or another port commonly used for communication.

 

[Alaska99]

Already try and the only open port was 443 or 80.... It working so well before Asus got this so good BAD idea to block all below 1024...
Who do they think they are, deciding for us which port we can use? Asus should stop imposing their "suggestions" on us!!

What I'm looking for is a way to bypass this block that look like parental controls.

 

[Tech9]

This is for the safety of Pro users. On older routers for non-Pro users it's allowed.

 

[Alaska99]

This is for the safety of Pro users. On older routers for non-Pro users it's allowed.

Are you joking? Do you really believe what you just wrote or are you just repeating what you were taught to say??
There is nothing unsafe about using a port below 1024!! In your opinion, what is the safest on a public network? Use a VPN on port 443 or not use a VPN at all?
Security should not be an excuse to prevent us from configuring our device the way we want. I bought a router that has a VPN function, not a parental control device where Asus decides for me what is safe!! It's not a Pro router it's a Kid router!!

 

[L&LD]

Yes, it is unsafe.

You actually quoted the 'hugging face' too.

 

[Tech9]

Are you joking?

Yes. I have OpenVPN server running on port 443 as well. I don't use Asus hardware.

 

[glens]

Specify a port which satisfies the firmware, then ssh in and grep the nvram values for that number. Make it as unlikely to be otherwise used as possible. Then start assigning "443" to those variables and see what happens.

 

[Tech9]

Curious if other routers on 3.0.0.6 firmware have the same limitation. Anyone willing to test and let us know, please?

 

[Piotrek]

Curious if other routers on 3.0.0.6 firmware have the same limitation. Anyone willing to test and let us know, please?

GT-AX6000 FW 3.0.0.6.102_21514: Please enter a value between 1024 to 65535

 

[Tech9]

This is a very serious limitation. I travel a lot and sometimes VPN on port 443 is the only option. The reason I have VPN server running on this port. I’m with @Alaska99 on this one. Bad decision on Asus side. I may want to run my router with no firewall. This is my router and the decisions are mine - a Pro user with Pro router.

 

[Piotrek]

BTW: In WireGuard port 443 is ok.

 

[Tech9]

Thank you for checking, @Piotrek.

 

[RMerlin]

There is nothing unsafe about using a port below 1024!!

Historically, ports < 1024 are called "privileged ports", as only processes running as root were allowed to bind to these ports. That's why some applications will refuse to let you run on a port < 1024.

That's one of the reasons why dnsmasq will launch two processes, with the second process dropping privileges to a non-root user.

That shouldn't be a problem here however as openvpn does run as root, unless Asus changed it to make it drop privileges.

 

[Alaska99]

Thanks Merlin, do you know if there is a config file that can be edited in SSH to modify the openvpn port and maybe bypass the gui?

 

[RMerlin]

Thanks Merlin, do you know if there is a config file that can be edited in SSH to modify the openvpn port and maybe bypass the gui?

No, the parameters are stored in nvram. I don't remember which variable contains it on the tock firmware, and there's no guarantee the firmware will accept to use it either. Every time you edit your VPN settings, it will most likely complain about it as well.

 

[sfx2000]

There is nothing unsafe about using a port below 1024!!

It's not whether it's safe or not - it a set of rules in Linux that one needs to have root access for ports less than 1024...

 

[sfx2000]

This is a very serious limitation. I travel a lot and sometimes VPN on port 443 is the only option.

I've never run into this limitation for outgoing traffic to TCP/443 when traveling...

If one is hosting OVPN server on 443. one should expect that to be filtered, much like TCP/25, TCP/80, TCP/443 and the Samba ports - because the ISP is actually trying to keep at least a minimum level of security for their customers...

Yes. I have OpenVPN server running on port 443 as well. I don't use Asus hardware.

So, now, I'm curious, considering the comment above...

Do you care to clear thing up here?

 

[ColinTaylor]

I've never run into this limitation for outgoing traffic to TCP/443 when traveling...

If one is hosting OVPN server on 443. one should expect that to be filtered, much like TCP/25, TCP/80, TCP/443 and the Samba ports - because the ISP is actually trying to keep at least a minimum level of security for their customers...

That's exactly the problem he has, outgoing traffic to TCP/443. He wants to connect back to his home VPN server. It's not blocked by his ISP because it works with his previous router. In my experience ISPs tend not to block 443 otherwise features like remote cameras or Asus' AiCloud or their phone app wouldn't work.

 

[Tech9]

I've never encountered ISP filtering TPC/80 and TCP/443. Must be SP only without I.