[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] openvpn

  • Subject: Re: [Openvpn-users] openvpn
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Tue, 05 Jun 2007 08:51:05 -0500
  • Z-usanet-msgid: XID663LFeNzL0162X29

Peter Leinen wrote:
> On Sunday 03 June 2007 22:06, Klaus Thielking-Riechert wrote:
> One more question: Which ports are used on the client side? I always see port 
> numbers above 60000, like 61300 which are also changing with a connection 
> request.
If the --port and --lport options are not used in the client
configuration, or if --nobind is specified, the client will allocate a
dynamically chosen high-range port number as the source port for the
packets, and this port will be re-allocated for each connection
attempt.  This is now most client-server applications operate since the
client doesn't usually need to be communicating from a specific source
port.  When a packet is sent out through a stateful firewall, the
firewall keeps track of which outbound connections have seen replies
from the server on the same IP/ports used and will normally let replies
through as long as the connection is still active.  What exactly
"active" means will vary between various firewall devices, but normally
using OpenVPN's --ping option (or the --keepalive helper directive) will
keep a firewall rule open.


Attachment: signature.asc
Description: OpenPGP digital signature