Change OpenVPN port?

Comments

35 comments

  • Avatar
    Firewalla

    Andy,  will log an issue for this.  To be clear, you are on phone trying to VPN through the provider network, and they block it.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Andy on second thought, there may be a simpler way to do this.  You can use the router's port forwarding to redirect to Firewalla.  That is

    map port 443 on the router to: port 1194 on Firewalla.  

    0
    Comment actions Permalink
  • Avatar
    Andy Taylor

    That’s correct, I’ll try your suggestion thanks!

    0
    Comment actions Permalink
  • Avatar
    Andy Taylor

    Didn’t work! I think the issue is, the OpenVPN profile uses 1194 and that is blocked on the router

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Andy, you are right, until we have a better solution, you may need to edit the profile to change the port to the one that open by the router.

    0
    Comment actions Permalink
  • Avatar
    Andy Taylor

    Thanks, how do I edit the profile? Not really used OpenVPN before. Is there specific software I can use?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Andy, to do this on iOS

    1. When export the vpn profile, save it to icloud or somewhere

    2. then use a text editor to open the file, you will find "1194" on the third line.  Change that to the port you want, say 443

    3. save the file

    5. open that file and import to open vpn

    --

    On your router, you will need to port forward 443 to Firewalla:1194

     

    1
    Comment actions Permalink
  • Avatar
    Andy Taylor

    Thanks for the info. I followed the steps and I still cannot get onto my home VPN on the Guest WiFi network I'm using. It works fine on my mobile phone data, but when I switch onto the WiFi, no luck. They must have some more advanced blocking tech going on here.

     

    0
    Comment actions Permalink
  • Avatar
    Steven Peachey

    Revisiting this topic;

    I have tried various combinations of port changes but still unable to use VPN over a specific public wifi. Has anyone determined a way to bypass these "VPN blocks"?

    Thanks for your help!

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    If they are using a 'cheap' router, you can bypass it simply by changing the port.  But ... so far in the places in US that blocks internet (we have seen it in libraries), the block is protocol based.  The blocking router will dig deep into the packets, and identify openvpn. (it is not a hard thing to do).  

    The only way that sort of works is running protocols that mimic https, which works most of the time.  If there is enough demand on such, we may build one,  it will very likely be a paid feature. 

    0
    Comment actions Permalink
  • Avatar
    Adam Badzioch

    Am I to assume Firewalla blocks OPENVPNs in and out of a router? I have a 15 yeat old who likes to try and bypass parental controls with open VPNs on home network

    0
    Comment actions Permalink
  • 0
    Comment actions Permalink
  • Avatar
    Travis

    Not sure if op is still having an issue but it's probably because the network they are connecting to is blocking udp to 443 and/or in general. If firewalla could allow you to change the port and protocol for more restrictive networks that would be awesome. So like we'd be able to set the port to 443 and tcp and it should go though. Unless they are using deep packet inspection but that's still unlikely to block a vpn unless the network requires a proxy and will only allow 443 out through the proxy

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    On the manual way is to do this

    1. On your router, port forward 443 to 1194 on Firewalla

    2. Change the .ovpn file generated by firewalla to point to 443

     

    This will allow you do use any port on the router.

    0
    Comment actions Permalink
  • Avatar
    Travis

    Doesn't help because the traffic is still UDP which 99% of the time is blocked in restricted networks.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @travis, are we talking about incoming (VPN server running on firewalla?), in this case, you should have full control, and UDP will operate better. (https://help.firewalla.com/hc/en-us/articles/115004274633-Firewalla-VPN-Server)

     

    The VPN client feature in firewalla should rely on the configuration of the server-side, so there should be no restrictions on tcp/udp.  https://help.firewalla.com/hc/en-us/articles/360023379953-VPN-Client-Beta-

     

    0
    Comment actions Permalink
  • Avatar
    Travis

    Yes I'm talking about running the built in vpn server on the firewalla. And yes UDP is a better protocol for vpn BUT if the network you are connecting from is blocking UDP traffic then the vpn on the firewalla vpn becomes useless. You won't be able to connect no matter what you do with port forwarding. A lot of hotel and guest WiFi networks only allow 443 and 80 for TCP traffic.

    0
    Comment actions Permalink
  • Avatar
    Bob

    Why not just give users access to change the server side profile or simply allow us to change port (Shodan is scanning 1194 all day) and the protocol?

    0
    Comment actions Permalink
  • Avatar
    Tommy M Webb

    Travis, that's nuts, who would block UDP traffic?  DNS uses UDP, VoIP uses UDP, NTP uses UDP,  and a slew of other necessary protocols use it.

    0
    Comment actions Permalink
  • Avatar
    Brent Marquis

    Tommy, not all UDP traffic.
    It seems quite common to block most ports+protocol except known necessary ports.
    in my case, we can only use TCP80 and TCP443. UDP443  is blocked, as HTTPS traffic doesnt use UDP.
    So trying to use an available port (443) also requires the use of TCP.

    Edit: the above talks about from the source end (VPN client), not the destination network containing the Firewalla.  OpenVPN, TCP mode on port 443 will get through those filters/blocks.

    I agree with the past posts - this really should be configurable in the Firewalla VPN server.

    0
    Comment actions Permalink
  • Avatar
    Chris Hewitt

    Tommy, at work I block all sorts of UDP traffic. All the C2 traffic from bots and zombies call home with their beacon traffic over UDP. UDP traffic is a very common IOC.

    I too have a real need to change the VPN port from 1194 to something else.

    Will this feature be coming any time soon?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Ack, I just wrote a hate mail to our VPN developer, if he doesn't build that in the next release, i am going to personally trash his desk!

    0
    Comment actions Permalink
  • Avatar
    Chris Hewitt

    Wow - you’d do great on my team. I’ll even write the stories for that. You can put it in the backlog and groom it to the top!

    How’s that?!

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    ... your voice is heard ... thank you for pushing ...  And ... in reality, I can't get to his desk, our office is locked up and we are all working from home now :(

    0
    Comment actions Permalink
  • Avatar
    Brent Marquis

    I received an update for the Beta app today, with the ability to change VPN protocol and port!
    Awesome stuff, thanks team!

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Please thank our developers, they take your suggestions ... very seriously ...  

    0
    Comment actions Permalink
  • Avatar
    JD Legg

    I have a gold, and am enrolled in Beta and cannot find this VPN protocol/port change location in the app. If it is only on command line if you could post an example that would be awesome. I am attempting to connect out a TCP Proxy at work to my system at my house.  The UDP Port is blocked and seems to be the same issue that was mentioned above by Chris and Brent. 

    Thanks in advance,

    Jeff

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    What is the App version you are using?  I know this function only on the beta apps. 

    0
    Comment actions Permalink
  • Avatar
    JD Legg

    The App is 1.39 (18) and when I am on my Gold it says beta and I joined both the Box Beta Program and the App Beta Program and went through testflight. Thanks for the fast response.

    0
    Comment actions Permalink
  • Avatar
    Travis

    Confirmed on Android app 3.4.29 (449) and gold device version 1.97 (g935b49da) thank you for adding this.

    0
    Comment actions Permalink

Please sign in to leave a comment.