Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port forwarding 443 but keep it stealth

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 4 Posters 984 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      baumkuchen
      last edited by baumkuchen

      Hello,

      not sure if this is the right category for my question. I have a OpenVPN server running which is listening to port 1194. Additionally I set up another server, listening on tpc 443.

      Nmap shows me that this port is open. Is it somehow possible to keep the port stealth but still forward the data stream? How would I do that?

      Thanks.

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @baumkuchen
        last edited by

        @baumkuchen

        Not possible. If it's open for traffic, it's open for port scans.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • B
          baumkuchen
          last edited by

          @JKnott
          Thank you for your reply.
          If the port can't be stealth while it is forwarded what else can I do to increase it's security?

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @baumkuchen
            last edited by

            @baumkuchen said in Port forwarding 443 but keep it stealth:

            @JKnott
            Thank you for your reply.
            If the port can't be stealth while it is forwarded what else can I do to increase it's security?

            If all the connections come from known addresses, you could filter on that.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by KOM

              At some point you're going to have to trust your authentication methods. JKnott's suggestion is good. However, if you don't know the source IP addresses but know for a fact that all your traffic will come from the US, you could use a geoblocker like pfBlocker to block access from all other countries except the US.

              Ultimately, you can't hide a 'public' service but you can limit it to a subset of 'public'.

              1 Reply Last reply Reply Quote 0
              • B
                baumkuchen
                last edited by baumkuchen

                Thank you guys for the clarification.

                I'll try to understand port forwarding and the possible security elements on top of it much better, unfortunately I don't get the basics yet. I had the idea that a forwarded port could block incoming traffic but hand over authorized packages to the listening OpenVPN server, so that the OpenVPN server only responds if the authorization has got successful in the first place. If I understand you right, this is not an option.

                I authorize with a SSL/TSL + User Auth, but I don't like the fact that this is the only method to protect my data to keep them safe. Is it an option to pass incoming traffic based on MAC adresses or other unique indicators?

                JKnottJ 1 Reply Last reply Reply Quote 0
                • JKnottJ
                  JKnott @baumkuchen
                  last edited by

                  @baumkuchen said in Port forwarding 443 but keep it stealth:

                  Is it possible to block incoming traffic based on MAC adresses or other unique indicators?

                  No, the only MAC address pfSense will see is that of the next upstream router. MACs are valid only on the local network and are discarded by routers, which then add the MAC of the exit interface. Read up on the protocol stack and encapsulation to understand why this is. Basically, the IP packet is encapsulated in an Ethernet frame only for the transport to the next device. The Ethernet frame goes no further, but the IP packet can be forwarded by routers and encapsulated in a frame for the next hop.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • PippinP
                    Pippin
                    last edited by Pippin

                    other unique indicators?

                    Other then already mentioned, use tls-crypt...

                    I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                    Halton Arp

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.