Page 1 of 1

Good Ports to use in Blocked Countries?

Posted: Tue Apr 26, 2011 3:18 pm
by GeoDirk
Hi All,

I'm working with some people helping to set up a VPN for them. The country that they live in does quite a bit of filtering and monitoring of the internet. If I use the standard OpenVPN ports of 1194, the country should easily be able to identify who it is that is using VPN right? I was thinking of changing the default OpenVPN port to something else that is more common so it doesn't attract attention. Can anyone recommend some better ports besides the 1194 one?

Thanks

Re: Good Ports to use in Blocked Countries?

Posted: Wed Apr 27, 2011 6:17 am
by janjust
you can choose any UDP or TCP port you want , 443 is an often used one , as OpenVPN traffic looks a little bit like SSL traffic.
However, if a country (or company) wants to block OpenVPN traffic they can - OpenVPN traffic is easily discernable on firewalls that do stateful inspection and OpenVPN makes no attempt to hide itself. If you want to duck firewalls resort to things like stunnel and httptunnel. YMMV.

Re: Good Ports to use in Blocked Countries?

Posted: Wed Apr 27, 2011 1:44 pm
by GeoDirk
Hi Jan,

You say that OpenVPN is easily discernible on deep packet inspection. For curiosity sake, can you elaborate on what it is that makes it so obvious that it is OpenVPN traffic going past?

By the way, on any one server, you can only specify ONE port for OpenVPN to use right?

I purchased your book yesterday...really like it but haven't gotten in there very far. Thanks for all the hard work you put into it!

Re: Good Ports to use in Blocked Countries?

Posted: Wed Apr 27, 2011 1:56 pm
by janjust
it's the handshake protocol which is not the same as a regular SSL handshake; run wireshark while openvpn is connecting to a server configured on port tcp/443 and you will see that wireshark does not decode the traffic as "normal" SSL traffic.

One OpenVPN instance binds to one port, yes; there's nothing from stopping you to run multiple services, however, and you can also use port redirection (using e.g. iptables).

PS thanx for buying my book :mrgreen: