Changing OpenVPN Server port number backfires

[martinr]

To counter opportunistic probes of common ports, for years my SSH port has been at the high end of the Registered port range,1024-49151 (instead of port 22), and I’ve never had a single problem.


More recently, and for the same reasons, I moved the OpenVPN Server port from 1194 to a number also at the high end of the Registered range, say, 44567. No problems until yesterday when the server stopped working. (And, although my second server was running, I wasn’t able to connect; fortunately, I was at home.). The logfile stated: “errno99: cannot assign requested address “ and then the public IP address was listed along with the port number 44567. A search led me to believe I’d had a collision on that port: some other process, by chance, happened to be using it.


I thought, serves me right: I should have picked a port in the Dynamic or Private port range (49152-65535). At least, I did think that till I did some digging

https://stackoverflow.com/questions...or-in-house-application-use/38141340#38141340

after which, more confused, I thought perhaps it was right after all to use a Registered port number after all, and that the Private/Dynamic port range (>49152) should be left alone.


But one item in that link caught my eye:


“On the opposite, take a port already assigned to something you're sure won't ever get needed. For example, TCP 31457 is assigned to TetriNET, so it's a pretty sure bet (unless your business is multiplayer tetris). – maaartinusAug 20 '18 at 18:17”


And, that strikes me as quite a good idea.


But before I do anything, I thought I’d seek people’s comments not only on that suggestion but also on the rest of this post.

 

[bbunge]

I use a four digit registered port that is listed for a game or service I will never use. The port I chose is listed to use TCP but I use UDP for OVPN. Works well for me!

Sent from my SM-T380 using Tapatalk

 

[ColinTaylor]

I think your original logic was sound. The objective is to not use any of the Ephemeral ports. But as we can see from the wiki entry, just what is used as the ephemeral port range varies depending on client device.

IMHO ephemeral ports should be 49152 to 65535 as per the IANA. This is what Windows currently uses. But if you log onto the router and go to System Log > Active Connections you can some devices using lower numbers. In my case the ports were from about 33000 upwards and the devices in question were Android phones and smart TVs. This ties up with the wiki entry that says "Many Linux kernels use the port range 32768 to 61000".

So I would say you should avoid anything above 32767, or less than 5001 (the old BSD and XP range).

 

[martinr]

I think your original logic was sound. The objective is to not use any of the Ephemeral ports. But as we can see from the wiki entry, just what is used as the ephemeral port range varies depending on client device.

IMHO ephemeral ports should be 49152 to 65535 as per the IANA. This is what Windows currently uses. But if you log onto the router and go to System Log > Active Connections you can some devices using lower numbers. In my case the ports were from about 33000 upwards and the devices in question were Android phones and smart TVs. This ties up with the wiki entry that says "Many Linux kernels use the port range 32768 to 61000".

So I would say you should avoid anything above 32767, or less than 5001 (the old BSD and XP range).

Thank you, Colin. Yes, I did indeed notice that in the active connections; I’m glad you mentioned it, because I thought I was beginning to understand it until I looked there.

Thanks for that great advice: I’ll stick to the range >5000 and <32767 and look for ports in that range assigned to video games etc as bbunge did. I’ll also reassign my SSH port. I can then relax knowing that the chances of another collision will be one in every ten-to-the-power 29 years.

Yet another very useful little learning exercise. Thanks.

 

[ColinTaylor]

Yet another very useful little learning exercise. Thanks.

A learning exercise for myself as well. I just assumed that everything used the IANA range nowadays. Obviously not. I'm somewhat surprised at Linux's non-compliance with IANA, as can be seen on the router itself:

admin@RT-AC68U:/# cat /proc/sys/net/ipv4/ip_local_port_range
32768   61000

 

[martinr]

A learning exercise for myself as well. I just assumed that everything used the IANA range nowadays. Obviously not. I'm somewhat surprised at Linux's non-compliance with IANA, as can be seen on the router itself:

admin@RT-AC68U:/# cat /proc/sys/net/ipv4/ip_local_port_range
32768   61000

Does that means we could also safely use ports between 61001 and 65535 to both frustrate opportunistic probing and reduce the collision rate to one every ten-to-the-power 35 years? (Except Asus could always change that in the future, I guess.)

 

[ColinTaylor]

Does that means we could also safely use ports between 61001 and 65535 to both frustrate opportunistic probing and reduce the collision rate to one every ten-to-the-power 35 years? (Except Asus could always change that in the future, I guess.)

Not really. I'm still seeing ports being opened on the router from Windows' clients on the LAN that are higher than 61000. The 32768-61000 range mentioned previously would only apply to things running on the router itself.

 

[martinr]

Not really. I'm still seeing ports being opened on the router from Windows' clients on the LAN that are higher than 61000. The 32768-61000 range above would only apply to things running on the router itself.

Of course. Many thanks.