Netgate is offering COVID-19 aid for pfSense software users, learn more.
Sharing a Port with OpenVPN and a Web Server¶
To be extra sneaky or careful with an OpenVPN server, take advantage of the
port-share capability in OpenVPN that allows it to pass any non-OpenVPN
traffic to another IP address behind the firewall. The usual use case for this
would be to run the OpenVPN server on port tcp/443 while letting OpenVPN hand
off the HTTPS traffic to a web server in place of a port forward.
Often on locked-down networks, only ports like 80 and 443 will be allowed out for security reasons and running OpenVPN instances on these allowed ports can help users get out in situations where access may otherwise be restricted.
To set this up, configure an OpenVPN server to listen on TCP port 443 and add a firewall rule to pass traffic to the WAN IP address or VIP used for OpenVPN on port 443. No additional port forwards or firewall rules are necessary to pass the traffic to the internal IP.
In the custom options of the OpenVPN instance, add the following:
port-share x.x.x.x 443
x.x.x.x is the internal IP address of the web server to which the non-
VPN traffic will be forwarded.
Now if an OpenVPN client is pointed to the public address, it will connect and work fine, and if a web browser is pointed at the same IP address, it will be connected to the web server.
This requires using TCP, and may result in reduced VPN performance.