OpenVPN Port: use 1194 UDP or 443 TCP?
-
Hi,
I'm putting an OpenVPN server for my company and I'm wondering what a "better practice" is.
Should I leave it at default 1194 UDP? or change to a more common port, for example 443 TCP?
If I leave it at 1194, is there a concern that some places (hotels, conferences, etc ..) may block the port?
Any comment would be appreciated.Regards,
-
Run it on both ;) I run instance on UDP 1194, and then one on TCP 443 for those places that have to bounce off a proxy or that might have UDP 1194 blocked. If the place has internet then almost always 443 will be open.
But for performance you will normally want to be on UDP, but that can not work off a proxy, etc. So just run 2 instances. You can pretty much run as many different instances of pfsense as you want.. I run udp 1194, tcp 443 and then UDP 1194 on IPv6
-
Run it on both ;) I run instance on UDP 1194, and then one on TCP 443 for those places that have to bounce off a proxy or that might have UDP 1194 blocked. If the place has internet then almost always 443 will be open.
But for performance you will normally want to be on UDP, but that can not work off a proxy, etc. So just run 2 instances. You can pretty much run as many different instances of pfsense as you want.. I run udp 1194, tcp 443 and then UDP 1194 on IPv6
this!
Also, makes me wonder @Johnpoz et al - is there a clever way to initiate a connection without clearing a captive portal? In other words, is there any way to make the OVPN connection come up first, always, on a foreign network?
My gut tells me no - you have to be able to route to the public internet - but I'm curious…
-
Unless the captive portal is utter crap and allows some sort of outbound traffic that is not "captive" then no you would not be able to bring up your vpn and then tunnel through it before you did something to open up your captive portal access - auth, pay for it, etc.
But sure if there is say a port open - UDP 53 for example which is your normal dns port, if for some reason this was open from where your at - then sure you could have your vpn listen on this port and create a tunnel through whatever it is that is trying to block your normal web traffic.
-
Hi, thank for the reply. I'm a bit slow in understanding this. What does it mean by multiple instances? Could you elaborate? Thank you.
-
You can run multiple instances of openvpn with completely different setting or all the same settings other than the port they run on.. See picture attached.
So I have 2 instances of openvpn running - one listening on tcp 443, the other on the standard udp 1194 port. I then have a client running as well that connects to one of my vps out there running openvpn-as.
I did have a ipv6 instance running as well - but I removed that since my cell provider fixed their connectivity from ipv6 to ipv4, when they removed ipv4 the vpn wasn't working so I had a ipv6 instance listening for a while so I could connect from my cell phone when not on wifi.
You can run as many copies if you will of openvpn that you need, different auth settings, different certs, different ports - or lots of stuff the same just a different port or protocol (tcp/udp).. You could have one that is tap, and others that tun, etc. etc..
-
Thank you johnpoz, I learned something new…
So what happens at the client export utility? the config that you export will have the two instances (configs) and users can decide which one they connect every time?Regards.
-
you export the one you want to export - it would not have both..
So you could give the client multiple configs to use..
-
you export the one you want to export - it would not have both..
It's actually possible to give the clients multiple endpoints, either to try in order or by picking at random. (You can create this configuration manually if not through the pfsense gui.) You can combine a configuration that attempts both udp and tcp ports with a NAT configuration that round-robins across multiple backend processes to get both accessibility and load balancing.
-
Very true - but the export gui is not designed for that fancy stuff ;) You would would have to edit the config by hand for that..
