Sharing a Port with OpenVPN and a Web Server¶
To be extra sneaky (or careful) with an OpenVPN server, take advantage of the
port-share
capability in OpenVPN which allows it to pass any non-OpenVPN
traffic to another IP address behind the firewall.
The usual use case for this is to run the OpenVPN server on TCP port 443
while letting OpenVPN hand off HTTPS traffic from browsers to a web server in
place of a port forward.
Warning
This requires using TCP for OpenVPN, and thus is likely to result in reduced VPN performance.
Locked-down networks frequently only allow traffic outbound to common ports such
as 80
and 443
for security reasons. Running OpenVPN instances on these
allowed ports can help users reach the VPN from restricted networks.
Note
Port sharing is only necessary if these two services must share the same port
and IP address. If the firewall has multiple public IP addresses to use, or
if there is no public HTTPS web server, then running OpenVPN on TCP port
443
directly without port sharing is a better practice to get the same
net effect.
To configure port sharing:
Move the firewall GUI from port
443
to an alternate port such as4433
Configure an OpenVPN server to listen on TCP port
443
Add a firewall rule to pass traffic to the WAN IP address or VIP used for OpenVPN on port
443
Add the following to the Custom options of the OpenVPN instance:
port-share x.x.x.x 443;
Replace
x.x.x.x
with the internal IP address of the web server to which OpenVPN will forward non-VPN traffic.
If an OpenVPN client is pointed to the public address it will connect to the VPN, while a web browser connecting to the same IP address will be connected to the web server.