OpenVPN client connecting from unusual port number

adamw

That's what I thought re high port numbers.
BUT...
Why ALL the other clients I can see (i.e. several) report PUBLIC_IP:1194 in real address just not mine?
I know they connect from Linux and various versions of Windows and use different client versions.

Gertjan

Normally, the client software chooses a random outgoing port.
But isn't not forbidding to override this behaviour, and choose a port.

And now the urban legends phenomenon kicks in : people see the word "VPN", so they think they have to choose "1194" (even) when they use a VPN client.
Which is based on upon ... nothing.

It would still work, because, when ports are the same, the incoming IP's are not.
If both the IP and port are the same for two incoming connection then you have that typical situation that starts with
"Bug in pfSense ......"

Rico

For my OpenVPN Clients (I have a LOT) I very often see high ports on CGN connections but default OpenVPN port 1194 for clients using a real public IP. Guess why.

-Rico

adamw

@Rico
I'm guessing I should consider myself lucky then? :)
Is there an easy way to determine if ISP utilises CGN or not?

JKnott

@Gertjan said in OpenVPN client connecting from unusual port number:

But isn't not forbidding to override this behaviour, and choose a port.

For example, DHCP, the server is 67 and client is always 68. There are some other protocols with similar but, generally, the source port is random.

JKnott

@adamw said in OpenVPN client connecting from unusual port number:

Is there an easy way to determine if ISP utilises CGN or not?

Yes, check the IP address you get. There's a block just for CGN, 100.64.0.0/10.

adamw

Hmm, neither of my clients' public IPs is on 100.64.0.0/10 range.

JKnott

@adamw

Perhaps RFC 1918 then?

Can you ping their WAN address from elsewhere? If you can, then they have a public address.

Pippin

Or a test site?
https://ip.bieringer.de/cgn-test.html

Or trace?
traceroute -n -U 8.8.8.8
traceroute -n -UL 8.8.8.8
traceroute -n -T 8.8.8.8
traceroute -n -I 8.8.8.8

Rico

The easy way is check your Routers WAN IP and compare with a site like whatismyipaddress.com
If the IP is different you are using CGN.
With the Router WAN IP RFC1918 you don't need to check any further of course, then it is 1000% CGN.

-Rico