Do I need to forward port on my router ?

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
mrwilson
OpenVpn Newbie
Posts: 2
Joined: Sat Jan 13, 2018 5:29 pm

Do I need to forward port on my router ?

Post by mrwilson » Sat Jan 13, 2018 5:36 pm

Been searching for awhile for this answer but so far I can't find it. I have my OpenVPN server running on a pc running W10 on my network. I have it set to use port 443. My clients can log in successfully IF I have port 443 forwarded to the machine that is running the OpenVPN server. If I don't forward port 443 then they cannot connect. This is probably a dumb question but I thought the idea of running a VPN was so I would not have to forward any ports.

So do I need to forward this port or am I doing something wrong ?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Do I need to forward port on my router ?

Post by TinCanTech » Mon Jan 15, 2018 11:56 am

mrwilson wrote:
Sat Jan 13, 2018 5:36 pm
do I need to forward this port
Yes you do ..

https://openvpn.net/index.php/open-sour ... html#start

mrwilson
OpenVpn Newbie
Posts: 2
Joined: Sat Jan 13, 2018 5:29 pm

Re: Do I need to forward port on my router ?

Post by mrwilson » Mon Jan 15, 2018 5:45 pm

Thank you for confirming this.

Skaperen
OpenVPN Power User
Posts: 89
Joined: Fri Aug 05, 2011 3:02 pm
Contact:

Re: Do I need to forward port on my router ?

Post by Skaperen » Wed Jan 17, 2018 2:07 am

but you only need to do port forwarding of the OpenVPN connection itself, not all the connections to all the websites you might reach through your VPN.

if you can do UDP communications to the whole world for many UDP port numbers, there may be a way around this and use UDP for OpenVPN as well (the better way to run OpenVPN). when a UDP datagram goes out via your firewall, it needs to allow the response to come back in, and to be sure it gets back to the sender. if you know what your source (from) IP address is (easy to find out, google for "ip address") and you can configure a point-to-point VPN between your local computer and the remote host where the other OpenVPN is running, you may be able to make this work through your firewall without adding any port forwarding.

configure both ends to communicate with each other on the same port. each end will keep sending UDP datagrams to each other. after your local end has sent a UDP datagram to the remote end, the firewall should let "a response" back in. this ends up letting the two OpenVPNs to communicate with each other and establish your VPN. the important requirement is that the firewall router allow UDP "responses" for a longer period of time than OpenVPN retries to make that initial "connection". it works for me in several places. this can also work with TCP but UDP is the better choice for a VPN.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Do I need to forward port on my router ?

Post by TinCanTech » Wed Jan 17, 2018 1:50 pm

@Skaperen

OpenVPN in TLS mode specifically denies NAT hole punching.

This is because OpenVPN in TLS mode requires that one end be the server and the other the client.

The server end does not initiate any connections, it simply waits for incoming packets.
Thus, port forwarding from the Server gateway is explicitly required.

OpenVPN in non-TLS mode can only accomplish NAT hole punching if both NAT gateways specifically allow it.
Or, more likely, don't do complete NAT. ie. { Src_Priv_addr:port_X } NAT { Src_Pub_addr:port_Y } => { Dst }

Skaperen
OpenVPN Power User
Posts: 89
Joined: Fri Aug 05, 2011 3:02 pm
Contact:

Re: Do I need to forward port on my router ?

Post by Skaperen » Thu Jan 18, 2018 3:49 am

even a firewall without NAT (i ran one of those long ago when i worked for a company with a /16) can need "hole punching", depending on the rules. i could do inbound blocking while it tracked all outbound traffic (unblocked) to punch holes. a VPN could easily punch a hole here. sure, you would have to pre-punch the hole to use TLS mode. so which is the best to do, make a hole or use non-TLS?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Do I need to forward port on my router ?

Post by TinCanTech » Thu Jan 18, 2018 12:52 pm

Without TLS mode all you get is pre-shared key ..

With TLS you get full PKI and --tls-auth ..

See --tls-auth in The Manual v24x

Post Reply