OpenVPN Support Forum

Been searching for awhile for this answer but so far I can't find it. I have my OpenVPN server running on a pc running W10 on my network. I have it set to use port 443. My clients can log in successfully IF I have port 443 forwarded to the machine that is running the OpenVPN server. If I don't forward port 443 then they cannot connect. This is probably a dumb question but I thought the idea of running a VPN was so I would not have to forward any ports.

So do I need to forward this port or am I doing something wrong ?

mrwilson wrote: ↑

Sat Jan 13, 2018 5:36 pm

do I need to forward this port

Yes you do ..

https://openvpn.net/index.php/open-sour ... html#start

Thank you for confirming this.

but you only need to do port forwarding of the OpenVPN connection itself, not all the connections to all the websites you might reach through your VPN.

if you can do UDP communications to the whole world for many UDP port numbers, there may be a way around this and use UDP for OpenVPN as well (the better way to run OpenVPN). when a UDP datagram goes out via your firewall, it needs to allow the response to come back in, and to be sure it gets back to the sender. if you know what your source (from) IP address is (easy to find out, google for "ip address") and you can configure a point-to-point VPN between your local computer and the remote host where the other OpenVPN is running, you may be able to make this work through your firewall without adding any port forwarding.

configure both ends to communicate with each other on the same port. each end will keep sending UDP datagrams to each other. after your local end has sent a UDP datagram to the remote end, the firewall should let "a response" back in. this ends up letting the two OpenVPNs to communicate with each other and establish your VPN. the important requirement is that the firewall router allow UDP "responses" for a longer period of time than OpenVPN retries to make that initial "connection". it works for me in several places. this can also work with TCP but UDP is the better choice for a VPN.

@Skaperen

OpenVPN in TLS mode specifically denies NAT hole punching.

This is because OpenVPN in TLS mode requires that one end be the server and the other the client.

The server end does not initiate any connections, it simply waits for incoming packets.
Thus, port forwarding from the Server gateway is explicitly required.

OpenVPN in non-TLS mode can only accomplish NAT hole punching if both NAT gateways specifically allow it.
Or, more likely, don't do complete NAT. ie. { Src_Priv_addr:port_X } NAT { Src_Pub_addr:port_Y } => { Dst }

even a firewall without NAT (i ran one of those long ago when i worked for a company with a /16) can need "hole punching", depending on the rules. i could do inbound blocking while it tracked all outbound traffic (unblocked) to punch holes. a VPN could easily punch a hole here. sure, you would have to pre-punch the hole to use TLS mode. so which is the best to do, make a hole or use non-TLS?

Without TLS mode all you get is pre-shared key ..

With TLS you get full PKI and --tls-auth ..

See --tls-auth in The Manual v24x