VPN Server on port 53/443?

[zakazak]

Is it okay (in terms of security and unexpected troubles / behaviour) to run my OpenVPN Server on port 53 or 443 to be able to access it even when being on a network (e.g. corporate) with a firewall that seems to block most other requests?

For example I can browse the web but not access my VPN server.

I don't have (knowingly) anything else in my home network that runs on port 53 or 443 (atleast I don't have those ports forwarded in my router) so I thought the should be safe to use as OpenVPN server?

 

[Jaime Alvarez]

Yes, I have an working OpenVPN server on 443 (TCP).

 

[ColinTaylor]

I don't have (knowingly) anything else in my home network that runs on port 53 or 443 (atleast I don't have those ports forwarded in my router) so I thought the should be safe to use as OpenVPN server?

53 is the DNS server port so if you try to use that either the DNS or the VPN server will refuse to start. You could use 443 (that's quite a common approach) provided that you don't use the routers default AiCloud settings as that uses port 443.

But the real security risk of doing this in a corporate environment is from you. There's good reason that most corporate networks block outgoing connections to unsanctioned external servers. If on the other hand you're in a hotel using it's public Wi-Fi then there shouldn't be a problem.

 

[zakazak]

53 is the DNS server port so if you try to use that either the DNS or the VPN server will refuse to start. You could use 443 (that's quite a common approach) provided that you don't use the routers default AiCloud settings as that uses port 443.

But the real security risk of doing this in a corporate environment is from you. There's good reason that most corporate networks block outgoing connections to unsanctioned external servers. If on the other hand you're in a hotel using it's public Wi-Fi then there shouldn't be a problem.

I use the AiProtection features if that is what you are referring to for port 443? Or is that something else?
I guess I would also need to switch to TCP instead of UDP for the OpenVPN server protocol?

Are there any other ports like 53/443 that I could use?
Actually in my coporate network the VPN works. I was talking about hotels and airports where I sometimes face this issue

 

[ColinTaylor]

I use the AiProtection features if that is what you are referring to for port 443? Or is that something else?

AiCloud is a different option to AiProtection. See the GUI.

I guess I would also need to switch to TCP instead of UDP for the OpenVPN server protocol?

Yes. The other potential problem with using common ports like 443 is that they're the most obvious targets for hackers and ports scanners. So while OpenVPN is still secure you'll get a lot of unwanted noise hitting that port.

Are there any other ports like 53/443 that I could use?
Actually in my coporate network the VPN works. I was talking about hotels and airports where I sometimes face this issue

For hotels they sometimes only block the standard VPN port, UDP 1194. So using any other port may work. If however it's really locked down then only the basic DNS, HTTP and HTTPS ports might be allowed.

 

[zakazak]

AiCloud is a different option to AiProtection. See the GUI.


Yes. The other potential problem with using common ports like 443 is that they're the most obvious targets for hackers and ports scanners. So while OpenVPN is still secure you'll get a lot of unwanted noise hitting that port.


For hotels they sometimes only block the standard VPN port, UDP 1194. So using any other port may work. If however it's really locked down then only the basic DNS, HTTP and HTTPS ports might be allowed.

The hotel I have been was really strict.
I couldn't even use DNSCrypt (which I don't know how it was blocked since that also uses the standard ports?).

 

[netware5]

My OpenVPN server works on TCP port 443 many years without problems. I don't use any "AI" things from Asus Running the server on 443 is generally the only possible solution when the client is in very restrictive environment. But it doesn't help in the case of Great Firewall of China (GFW)

 

[martinr]

If you run pixelserv-tls, you need to add a line in the Custom Config, if using port 443. it allows the OpenVPN server to listen externally on port 443 at the same time as pixelserv-tls listens internally on port 443. So if your DDNS is fred.asuscomm.com, the command would read:

local fred.asuscomm.com

Credit for this goes to elorimer, see para 6 of:

VPN instructions for a newbie

Hi everyone. Can anyone give me simple step-by-step instructions how to set up a VPN on my ASUS RT-AX88U so that my son can access his files on my Synology Diskstation while he is away at university? He doesn't want to just be able to log in to the Diskstation GUI and access the files that way...

www.snbforums.com

In turn, elorimer credits martineau at:

VPN instructions for a newbie

@elorimer - Great post! IMO this should be in the wiki for sure! Any specific reason to not use "TLS control channel security:" ? I kept the default; no particular reason or experience. EDIT: I edited the post above to add tls-auth. Note the ONC format doesn't support tls-crypt yet, but the...

www.snbforums.com

 

[Jaime Alvarez]

If you run pixelserv-tls, you need to add a line in the Custom Config, if using port 443. it allows the OpenVPN server to listen externally on port 443 at the same time as pixelserv-tls listens internally on port 443. So if your DDNS is fred.asuscomm.com, the command would read:

local fred.asuscomm.com

Credit for this goes to elorimer, see para 6 of:

VPN instructions for a newbie

Hi everyone. Can anyone give me simple step-by-step instructions how to set up a VPN on my ASUS RT-AX88U so that my son can access his files on my Synology Diskstation while he is away at university? He doesn't want to just be able to log in to the Diskstation GUI and access the files that way...

www.snbforums.com

In turn, elorimer credits martineau at:

VPN instructions for a newbie

@elorimer - Great post! IMO this should be in the wiki for sure! Any specific reason to not use "TLS control channel security:" ? I kept the default; no particular reason or experience. EDIT: I edited the post above to add tls-auth. Note the ONC format doesn't support tls-crypt yet, but the...

www.snbforums.com

This +1000!!

It took me a while before finding the solution in those same threads.

 

[Tech9]

My OpenVPN server works on TCP port 443 many years without problems.

Mine too.

 

[RMerlin]

Port 443/TCP is a bad idea, it will get bombarded by port scanners.

 

[Tech9]

A VPN blocked by some firewall is useless. Let them scan, no problem. The difference is working vs non-working VPN. Use case specific.

 

[zakazak]

Port 443/TCP is a bad idea, it will get bombarded by port scanners.

I understand, I agree.. but there aren't any other solutions?

Additionally, whats the impact of getting bombarded by a port scanner? Security wise it should not matter?

 

[Tech9]

VPN on 443/TCP is still detectable and preventable by DPI engines. There are methods to hide it as HTTPS, but most of the time not needed. Port scanners is one thing, you'll see connection attempts from different IPs with connection reset. Bad is when you see connection stablished. You have to keep your server updated and monitor it. I run one VPN server on 443/TCP, but I also have other security measures. Different hardware and software, not Asus.

 

[zakazak]

VPN on 443/TCP is still detectable and preventable by DPI engines. There are methods to hide it as HTTPS, but most of the time not needed. Port scanners is one thing, you'll see connection attempts from different IPs with connection reset. Bad is when you see connection stablished. You have to keep your server updated and monitor it. I run one VPN server on 443/TCP, but I also have other security measures. Different hardware and software, not Asus.

Well, connection established means that someone managed to exploit OpenVPN or cracked a VPN Users password.
Both very unlikely?

 

[Tech9]

I was running an RT-AC66U B1 with stock Asuswrt and VPN server on 443/TCP for about a year. Multiple connection attempts a day, but none were successful. What killed the router was Asus themselves with the bad ASD update. They hacked it better than anyone else.

 

[RMerlin]

Let them scan, no problem. The difference is working vs non-working VPN. Use case specific.

I had a customer who had random connection failures to their VPN. Turns out scanners were generating close to a hundred of "ghost" clients in their port hammering, reaching the limit allowed by their server.

In this case, using TCP might be less susceptible to this type of "attack" than UDP, the problem with UDP being that "sessions" don't immediately expire. However he would still get his logs flooded with connection attempts.

 

[RMerlin]

Additionally, whats the impact of getting bombarded by a port scanner? Security wise it should not matter?

If using TCP, then it will be mostly log flood, possibly affecting the router's performance if the scans are very aggressive. It won't be a security issue however, scanners would merely try to access it as a web server, not as a VPN server.

 

[Tech9]

The approach definitely has pros and cons. The most secure is off, all ports closed.

 

[netware5]

Port 443/TCP is a bad idea, it will get bombarded by port scanners.

Yes, but if the client is in restrictive environment this is the only possible solution. The port scanners just flood the log file.

VPN on 443/TCP is still detectable and preventable by DPI engines. There are methods to hide it as HTTPS, but most of the time not needed. Port scanners is one thing, you'll see connection attempts from different IPs with connection reset. Bad is when you see connection established. You have to keep your server updated and monitor it. I run one VPN server on 443/TCP, but I also have other security measures. Different hardware and software, not Asus.

Yes, the DPI engines can detect the OpenVPN traffic, but they are used mainly in extremely restrictive environments like China (GFW) and other states with internet censorship or very secure corporate networks. I travel a lot in such states and had problems to access my home OpenVPN server only in China and Egypt. In most cases I can connect to my server without problems. While if the port is not 443 TCP the connection problems occur much more frequently. So for "travel warriors" keeping the server on 443 TCP brings more pros than cons.