OpenVPN and port 443

Hi everyone,
I watched this old video by Lawrence about how to set up a site-to-site OpenVPN on pfSense:

How To Setup A Peer to Peer / Site to Site VPN Using OpenVPN On pfSense

Since it can happen that port 1194 (among others) can be blocked by firewalls, I was wondering if the VPN works also on port 443 by setting it up in “server port” option in place of of the default port 1194

Lawrence uses the Shared key option in Server mode, but I read around that for a more secure tunnel you can go for the SSL/TLS mode instead. So, What are the pros and cons of a method over the other one, apart from that the Shared key one is wa to simple to set up?
Is The Shared Key way still a realiable and safe way to set it up?

1 Like

OpenVPN works on any port, just as any other protocol that is built on top of UDP or TCP does. The client just needs to know what that port is.

I’m running several RAS’s, the only time I had the occasion of the connection being blocked was where I think the UDP protocol was being blocked rather than the port (I wasn’t using 443 or 1194). You might want to have a RAS setup with TCP instead of UDP as a fallback.

From what I recall reading somewhere, I believe OpenVPN will deprecate shared key so pfsense will eventually catch up to not using that form of authentication.

I don’t use it myself so it’s not an issue, but having a shared key seemed to be a problem from the start, if I lose my phone, I then have to change all other certs. Using a CA I can issue certs per device and just revoke it if I lose any device without affecting anyone else.

It’s not that difficult to setup the CA and issue certs, some trial and error will probably be involved but it’s one time.

1 Like

So I also need to switch to TCP in Protocol (Endpoint configuration) to make it work, right?

Ok, I think I understand what is the problem with the shared key method.

by the way, What is RAS?

No, not necessarily. Only if you think your clients will be on networks that block outgoing UDP.

It wouldn’t surprise me to learn that there are network admins who block UDP port 443 in their infinite “wisdom”, but I sure hope it’s not the norm (it has a legimitate use case in HTTP/3).

OpenVPN Remote Access Server

so, OpenVPn works properly either on port 443/udp or 443/ tcp. Correct?

I suppose so. I’ve never used it with TCP. And I’ve sinced moved everything to Wireguard.

1 Like

oh, ok, got it. thanks

Yeah, I like Wireguard too, but I think you need to know OpenVPN too, just in case.