Setting Up Openvpn sTunnel on TCP port 443

Hello everyone,

I have a nano pi r4s running the November 2023 stable release.

I am trying to create a backup VPN on my home Internet that runs on tcp port 443. The reason for this is, I have a Google One VPN I use in most cases to secure my traffic and am happy with that.

However, I've run into several APs where my Google one VPN does not work. I am aware of the potential problems related to running a VPN on TCP. This is a fall back for when my main VPN solution does not work.

To work around this, I successfully set up an openvpn server on my setup using the great guide here https://openwrt.org/docs/guide-user/services/vpn/openvpn/server

And initially set up the VPN server on udp port 443 with connection success. Upon changing it to tcp port 443 however, I was unable to connect.

I believe the reason for this has to be because of Luci uhttp running on 443.

My questions are

  1. What's the procedure for enabling port-share so I can use both services over tcp 443?
  2. What's the best way of wrapping in sTunnel for the VPN?

Any assistance is much appreciated, I'm a dilettante for some of the intermediate CLI configurations.

I can't speak to the larger question, but in terms of trying things, you can either change the ports used by uhttpd:

https://openwrt.org/docs/guide-user/luci/luci.essentials#alternative_ports

Or use the SSH tunnel approach to securing LuCI, so you don't bother with HTTPS at all:

https://openwrt.org/docs/guide-user/luci/luci.secure#tunneling_luci_http_protocol_through_ssh

Why do you want to use tcp port 443 for the OpenVPN server?

Are other ports blocked by your VPN provider

Apologies if it wasn't clear.
I go to a corporate gym and a few other places that block my regular VPN (google one vpn) from operating when I am on their wifi.
I want to set up a secondary VPN at my home that runs a VPN server that will allow me to connect over port 443 using TCP using openvpn.

I've already set up the VPN server on my home router but it is set to UDP instead of TCP. Switching the port to TCP prevents me from connecting. UDP on 443 works fine.

I am aware of the consequences of running a VPN over TCP and am OK with this.
Does that make sense?

That makes sense.

Have you tested if port 443 UDP is also blocked?
If it is and you really need to use TCP port 443 than move uhttpd to port 8443 as already pointed out by @ahuman :
https://openwrt.org/docs/guide-user/luci/luci.essentials#alternative_ports

1 Like

I have done this in the past, but only between two OpenWrt routers. In fact, I also run OpenVPN on port 443 and 1194 (both UDP and TCP) such that I will usually be able to connect even if some ports are blocked at my 'current' location. I have the ability to connect via 'raw' OpenVPN or encapsulated with stunnel or shadowsocks. This is to help avoid problems that might occur should a firewall be set such that it blocks traffic via DPI rather than simple ports.

That said, I don't believe that there is a way to encapsulate OpenVPN into anything else on a mobile phone (at least on iOS). So really, you may just want to use the TCP443 option and hope that works without the need for further encapsulation.

While my configs are hopefully still valid, I haven't really exercised them in a long time since I now use WireGuard whenever possible, and I haven't needed to try the stunnel/shadowsocks encapsulated OpenVPN in a long time.

One the APs I'm trying this on udp 443 is indeed blocked. But if I try and connect over say my mobile network, it will connect so I know at least my setup works.

I'll adjust the uhttp port to the one you suggested and report back.

Thank you!

Thanks can you advise how you tell openvpn to use a primary and secondary port? Is it just a matter of adding a comma between the port numbers?

No...

There are two ways to do this:

  1. Two instances of OpenVPN -- one for each port.

or

  1. use port forwarding on the router... this is kind of a hack, but it does work.
  • Open the initial port via normal traffic rules
  • Create port forward for the second port -- for example, accept TCP port 1194 from wan zone and forward it to LAN zone port 443 to address 192.168.1.1 (or whatever the router's lan address is).

You'll still need to make sure you turn off or re-assign the port for https.

1 Like

Follow up for the group.
I got the VPN to work on tcp port 443. Unfortunately , when connecting over the gyms wifi, it gets blocked. I can confirm it does connect when I try over say mobile data.

I'm going to try shadowsocks and softether next. Mostly because I enjoy the tinkering challenge. I will see how far I get.

Is this a gym or a prison? :laughing:

Have you tried wireguard? Likely also blocked, but you can put that on any udp port (unless they outright block udp).

1 Like

Hell if I know brother. I'll give wire guard a go too. Thanks for the tip .

To circumvent DPI OpenVPN has a scramble options this is used to dodge firewalls but it is something you have to implement yourself see:

There are also these kind of options for WireGuard