Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN Port: use 1194 UDP or 443 TCP?

    OpenVPN
    4
    10
    47310
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kfkehua last edited by

      Hi,
      I'm putting an OpenVPN server for my company and I'm wondering what a "better practice" is.
      Should I leave it at default 1194 UDP? or change to a more common port, for example 443 TCP?
      If I leave it at 1194, is there a concern that some places (hotels, conferences, etc ..) may block the port?
      Any comment would be appreciated.

      Regards,

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        Run it on both ;)  I run instance on UDP 1194, and then one on TCP 443 for those places that have to bounce off a proxy or that might have UDP 1194 blocked.  If the place has internet then almost always 443 will be open.

        But for performance you will normally want to be on UDP, but that can not work off a proxy, etc. So just run 2 instances.  You can pretty much run as many different instances of pfsense as you want.. I run udp 1194, tcp 443 and then UDP 1194 on IPv6

        1 Reply Last reply Reply Quote 0
        • S
          SpaceBass last edited by

          @johnpoz:

          Run it on both ;)  I run instance on UDP 1194, and then one on TCP 443 for those places that have to bounce off a proxy or that might have UDP 1194 blocked.  If the place has internet then almost always 443 will be open.

          But for performance you will normally want to be on UDP, but that can not work off a proxy, etc. So just run 2 instances.  You can pretty much run as many different instances of pfsense as you want.. I run udp 1194, tcp 443 and then UDP 1194 on IPv6

          this!

          Also, makes me wonder @Johnpoz et al - is there a clever way to initiate a connection without clearing a captive portal? In other words, is there any way to make the OVPN connection come up first, always, on a foreign network?

          My gut tells me no - you have to be able to route to the public internet - but I'm curious…

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            Unless the captive portal is utter crap and allows some sort of outbound traffic that is not "captive" then no you would not be able to bring up your vpn and then tunnel through it before you did something to open up your captive portal access - auth, pay for it, etc.

            But sure if there is say a port open - UDP 53 for example which is your normal dns port, if for some reason this was open from where your at - then sure you could have your vpn listen on this port and create a tunnel through whatever it is that is trying to block your normal web traffic.

            1 Reply Last reply Reply Quote 0
            • K
              kfkehua last edited by

              Hi, thank for the reply. I'm a bit slow in understanding this. What does it mean by multiple instances? Could you elaborate? Thank you.

              1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by

                You can run multiple instances of openvpn with completely different setting or all the same settings other than the port they run on.. See picture attached.

                So I have 2 instances of openvpn running - one listening on tcp 443, the other on the standard udp 1194 port.  I then have a client running as well that connects to one of my vps out there running openvpn-as.

                I did have a ipv6 instance running as well - but I removed that since my cell provider fixed their connectivity from ipv6 to ipv4, when they removed ipv4 the vpn wasn't working so I had a ipv6 instance listening for a while so I could connect from my cell phone when not on wifi.

                You can run as many copies if you will of openvpn that you need, different auth settings, different certs, different ports - or lots of stuff the same just a different port or protocol (tcp/udp)..  You could have one that is tap, and others that tun, etc. etc..


                1 Reply Last reply Reply Quote 0
                • K
                  kfkehua last edited by

                  Thank you johnpoz, I learned something new…
                  So what happens at the client export utility? the config that you export will have the two instances (configs) and users can decide which one they connect every time?

                  Regards.

                  1 Reply Last reply Reply Quote 0
                  • johnpoz
                    johnpoz LAYER 8 Global Moderator last edited by

                    you export the one you want to export - it would not have both..

                    So you could give the client multiple configs to use..


                    1 Reply Last reply Reply Quote 0
                    • V
                      VAMike last edited by

                      @johnpoz:

                      you export the one you want to export - it would not have both..

                      It's actually possible to give the clients multiple endpoints, either to try in order or by picking at random. (You can create this configuration manually if not through the pfsense gui.) You can combine a configuration that attempts both udp and tcp ports with a NAT configuration that round-robins across multiple backend processes to get both accessibility and load balancing.

                      1 Reply Last reply Reply Quote 0
                      • johnpoz
                        johnpoz LAYER 8 Global Moderator last edited by

                        Very true - but the export gui is not designed for that fancy stuff ;)  You would would have to edit the config by hand for that..

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post

                        Products

                        • Platform Overview
                        • TNSR
                        • pfSense Plus
                        • Appliances

                        Services

                        • Training
                        • Professional Services

                        Support

                        • Subscription Plans
                        • Contact Support
                        • Product Lifecycle
                        • Documentation

                        News

                        • Media Coverage
                        • Press
                        • Events

                        Resources

                        • Blog
                        • FAQ
                        • Find a Partner
                        • Resource Library
                        • Security Information

                        Company

                        • About Us
                        • Careers
                        • Partners
                        • Contact Us
                        • Legal
                        Our Mission

                        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                        Subscribe to our Newsletter

                        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                        © 2021 Rubicon Communications, LLC | Privacy Policy