OpenVPN on TCP 443 or 80

[Cyrenaic]

Hello all -

I have multiple VPNs types going, Wireguard (via raspberry pi not via router), IPSec on RT-AX86U, and IPSec via Instant Guard -- the last two are really just me trying them out and as alternatives to Wireguard.

I am running stock firmware.

They all work well and as expected.

What I really want as an alternative is OpenVPN but on TCP 80 or TCP 443. Reason being that in very locked down networks those ports are almost sure to be open - whereas IPSec and UDP are completely blocked.

This is the warning in the GUI for OpenVPN on the RT-AX86U

It says it is a "suggestion" but what they really mean is if I type in a port <1024, it will not accept it. I don't know exactly what the security concern is other than that these are well known ports.

Does anyone know of a workaround to this restriction?

Thanks.

 

[drabisan]

Unlikely firmware will allow you to use either of those ports. Both 80 and 443 are kinda "reserved" for Asus' management interface, in case user wants to use management over WAN. Also some services like Alexa require those ports to be open from WAN.

"Security concerns" may be the fact that <1024 are common targets for scan from internet.

 

[Cyrenaic]

Unlikely firmware will allow you to use either of those ports. Both 80 and 443 are kinda "reserved" for Asus' management interface, in case user wants to use management over WAN. Also some services like Alexa require those ports to be open from WAN.

"Security concerns" may be the fact that <1024 are common targets for scan from internet.

Which is frustrating because I don't run the management interface on TCP 80 or 443. I have it restricted to 8443 in both lan and wan, and using DDNS and a cert.

I suppose I could use the Pi and set up OpenVPN there, and port forward to it. The restriction is not there in the port forwarding area. It would have been nice to do it on the router though.

Erm, so not even through SSH? Like some way to modify config bypassing the GUI?

 

[ColinTaylor]

Have you tried a port like 999. Does it accept that?

 

[Cyrenaic]

Have you tried a port like 999. Does it accept that?

Nope - in fact the javascript is:

var isValid_vpn_server_port = valid_num_range($vpn_server_port.val(), 1024, 65535);
if(isValid_vpn_server_port.isError){
$vpn_server_port.show_validate_hint(isValid_vpn_server_port.errReason);
$vpn_server_port.focus();
return false;
}

Makes me wonder if it is a client side check only

 

[ColinTaylor]

Nope - in fact the javascript is:

var isValid_vpn_server_port = valid_num_range($vpn_server_port.val(), 1024, 65535);
if(isValid_vpn_server_port.isError){
$vpn_server_port.show_validate_hint(isValid_vpn_server_port.errReason);
$vpn_server_port.focus();
return false;
}

Makes me wonder if it is a client side check only

That check wasn't in older firmware versions IIRC. I suggest you go to AiCloud 2.0 - Settings and change the "AiCloud Web access port" to something other than 443. Then:

nvram set vpn_server1_port=443
nvram commit

 

[sfx2000]

"Security concerns" may be the fact that <1024 are common targets for scan from internet.

And TCP answers up to a SYN packet...

If one wants to run OPVN on 80/443, I would suggest using UDP, because it doesn't answer up to a TCP SYN packet...