Sharing a Port with OpenVPN and a Web Server¶
To be extra sneaky (or careful) with an OpenVPN server, take advantage of the
port-share capability in OpenVPN which allows it to pass any non-OpenVPN
traffic to another IP address behind the firewall.
The usual use case for this is to run the OpenVPN server on TCP port
while letting OpenVPN hand off HTTPS traffic from browsers to a web server in
place of a port forward.
This requires using TCP for OpenVPN, and thus is likely to result in reduced VPN performance.
Locked-down networks frequently only allow traffic outbound to common ports such
443 for security reasons. Running OpenVPN instances on these
allowed ports can help users reach the VPN from restricted networks.
Port sharing is only necessary if these two services must share the same port
and IP address. If the firewall has multiple public IP addresses to use, or
if there is no public HTTPS web server, then running OpenVPN on TCP port
443 directly without port sharing is a better practice to get the same
To configure port sharing:
Move the firewall GUI from port
443to an alternate port such as
Configure an OpenVPN server to listen on TCP port
Add a firewall rule to pass traffic to the WAN IP address or VIP used for OpenVPN on port
Add the following to the Custom options of the OpenVPN instance:
port-share x.x.x.x 443;
x.x.x.xwith the internal IP address of the web server to which OpenVPN will forward non-VPN traffic.
If an OpenVPN client is pointed to the public address it will connect to the VPN, while a web browser connecting to the same IP address will be connected to the web server.