[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] doesn't always use port 1194

  • Subject: Re: [Openvpn-users] doesn't always use port 1194
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Mon, 30 Jul 2007 14:58:46 -0500
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID026LgdT720258X40

Brian J. Murrell wrote:
> I have openvpn on my OpenWRT gateway as well as another computer (to
> which I create and receive tunnels from).
> I find that at times both ends will use port 1194 and at other times,
> one end will use an ephemeral port (i.e. >1023) port rather than 1194.
> I would prefer both ends always used port 1194 for tighter firewalling.
> Is there any way I can force such behaviour?

The option "--port #" tells OpenVPN to use a particular port number for
both local and remote ports, and either one can be individually
specified with --lport or --rport for local or remote port.  However,
note that use of NAT in front of an OpenVPN peer may re-write the source
port on outgoing packets, so the other peer may see the port as being
sourced from another port.  In a client-server OpenVPN setup I don't
think it's a good idea to restrict based on source port since clients
might be connecting from behind various NAT implementations.  In
peer-to-peer configurations, as long as the state of any NAT is known
beforehand and the ports you intend to use can be guaranteed free, you
could filter by port, but there again it could cause unknown problems
down the road if the local port can't be used for some reason and
another is selected.


Attachment: signature.asc
Description: OpenPGP digital signature