OPENVPN on Port 80- will "direct clients to redirect internet traffic" off work?

[Deleted member 27741]

I have a question- I run two OPENVPN servers on my N66U- server 1 (runs on port 443) has internet traffic redirected and server 2 (runs on port 80) does NOT have internet traffic redirected (for LAN access only).

My question is- will server 2 effectively route all LAN traffic through the encrypted tunnel correctly with this setup? I have thought that perhaps the router would get confused and the LAN traffic (all or part of it) would not be sent through the tunnel.

Of course I do realize that changing the port could correct this and will probably do that just in case, but I am still interested in the answer.

 

[RMerlin]

I have a question- I run two OPENVPN servers on my N66U- server 1 (runs on port 443) has internet traffic redirected and server 2 (runs on port 80) does NOT have internet traffic redirected (for LAN access only).

My question is- will server 2 effectively route all LAN traffic through the encrypted tunnel correctly with this setup? I have thought that perhaps the router would get confused and the LAN traffic (all or part of it) would not be sent through the tunnel.

Of course I do realize that changing the port could correct this and will probably do that just in case, but I am still interested in the answer.

The port shouldn't cause any problem, as long you did disable HTTP support and keep only HTTPS enabled.

Don't forget to run your clients with administrative privileges so they can establish the route, and also check the firewall settings on the target LAN machines (for instance, some firewall software won't accept the client connection attempts from their 10.x.x.x IPs).

 

[martinr]

The port shouldn't cause any problem, as long you did disable HTTP support and keep only HTTPS enabled.

Hello Merlin, from which settings and sub-settings is HTTP/HTTPS support controlled?

Thanks

Martin

 

[Deleted member 27741]

I think rmerlin is referring to the router GUI here?

If HTTP login is enabled there could be issues (especially locally), I actually only run HTTPS login to the GUI on a non-standard port so I think it should be ok there.

I did decide to run OPENVPN on a different port that port 80 anyway, but was interested how OPENVPN would encrypt LAN data on port 80 when internet traffic was not sent through the tunnel. Apparently their thinking is more sophisticated than just "don't encrypt traffic on port 80 when redirect internet traffic is off" which is good.

Now that rmerlin mentions it, I did just make sure I was running all my clients as admin, the routes don't get established correctly if you don't, and why even have the VPN without the correct routes, right?

 

[RMerlin]

As a sidenote, I recommend not to use either 80 or 443 for OpenVPN servers, as your log will get filled by tons of random port scanning from malwares trying to locate vulnerable web servers.

 

[Deleted member 27741]

I do get some log entries from port 443, not a huge amount though, that is the sacrifice I have made for what I believe to be a guarantee of a usable port to connect.

Is there a port that I can use that will be as "reliable" as 443 and 80? I often use OPENVPN at hotels that have pretty wonky setups and I find that VPN connections are often not allowed to pass through. If I just choose some random port will that be as consistent as 443 and 80 are?

 

[RMerlin]

I do get some log entries from port 443, not a huge amount though, that is the sacrifice I have made for what I believe to be a guarantee of a usable port to connect.

Is there a port that I can use that will be as "reliable" as 443 and 80? I often use OPENVPN at hotels that have pretty wonky setups and I find that VPN connections are often not allowed to pass through. If I just choose some random port will that be as consistent as 443 and 80 are?

It's always up to the hotel's IT guy. It depends on what they chose to offer. They could even in theory block every single port, and force you to go through a local proxy, for example. So no, there's no guarantee. 80 and 443 are a rather safe bet because they are the most commonly used ports by "legit" Internet users. Any other potential candidate (such as 110 - POP3) would also get heavily hammered by port scanners.

Overall, if it's a popular port, expect it to be frequently scanned as well.