Sharing a Port with OpenVPN and a Web Server

To be extra sneaky (or careful) with an OpenVPN server, take advantage of the port-share capability in OpenVPN which allows it to pass any non-OpenVPN traffic to another IP address behind the firewall.

The usual use case for this is to run the OpenVPN server on TCP port 443 while letting OpenVPN hand off HTTPS traffic from browsers to a web server in place of a port forward.

Warning

This requires using TCP for OpenVPN, and thus is likely to result in reduced VPN performance.

Locked-down networks frequently only allow traffic outbound to common ports such as 80 and 443 for security reasons. Running OpenVPN instances on these allowed ports can help users reach the VPN from restricted networks.

Note

Port sharing is only necessary if these two services must share the same port and IP address. If the firewall has multiple public IP addresses to use, or if there is no public HTTPS web server, then running OpenVPN on TCP port 443 directly without port sharing is a better practice to get the same net effect.

To configure port sharing:

  • Move the firewall GUI from port 443 to an alternate port such as 4433

  • Configure an OpenVPN server to listen on TCP port 443

  • Add a firewall rule to pass traffic to the WAN IP address or VIP used for OpenVPN on port 443

  • Add the following to the Custom options of the OpenVPN instance:

    port-share x.x.x.x 443;
    

    Replace x.x.x.x with the internal IP address of the web server to which OpenVPN will forward non-VPN traffic.

If an OpenVPN client is pointed to the public address it will connect to the VPN, while a web browser connecting to the same IP address will be connected to the web server.