Required open ports for Access Server

[melkamar]

Hi, I'm in the process of evaluating OpenVPN for use as our company VPN. I'm deploying it on a Ubuntu 20.04 server. Most stuff works fine and the setup has been painless, with the exception of restricting non-needed ports.

From what I understand, it should be enough for the server firewall to allow the following:

• TCP 80, 443
• UDP 1194

When I do that on the firewall of my cloud provider, I can then connect to the server with the OpenVPN client, but all DNS resolution fails. Curl-ing a specific IP address works fine.

Through some trial and error I found out that when I also open up UDP ports 32768-65535, everything starts to work fine. So it seems that the server needs these ephemeral ports open for some reason? I didn't find anything about that in the documentation though, so I'm wondering if this is just a symptom of some other issue?

Thank you!

[openvpn_inc]

Hello,

With OpenVPN Access Server, you will want to have incoming ports TCP 22 (optional - for maintenance purposes), TCP 443, TCP 943, TCP 945 (optional - for clustering purposes), and UDP 1194 open assuming default settings. As far as outgoing ports concern, we recommend those are left open so that the Access Server is able to initiate outgoing connections in response to incoming connections on the aforementioned ports. If you wish to restrict outgoing that's up to you, but you may encounter some expected issues there of course.

Kind regards,
Johan