Openvpn n2n connection port below 1024

Hi everyone.

I want to set up a n2n openvpn connection. I’m following the documentation:

I used to work with IPFire with RW openvpn config in the past.

I’m surprised that in a n2n config, I cannot use a tcp destination port below 1024.
I get this error when I’m trying to do so:
“A port number of 1024 or higher is required.”

There is no such restriction for the openvpn server used for RW connection.

Is there any reason for that?

Maybe for security reason? I think a process opening a port < 1024 requires root permission.

I understand the security reasons, but the openvpn server can listen at the tcp port 443 when it is used for road warrior use case. I’m curious to understand why it is no the case for net 2 net use case? is the vpn server launched as a non-root user user in this case?

Your n2n should coexist with RW? In that case you cannot use the same 443 port for both. Reading the documentation, 443 is the fallback port for OpenVPN, therefore I imagine it binds to the port with root privilege, so my hypothesis is clearly wrong. Maybe OpenVPN makes an exception for port 443 as a way to reroute around firewalls, but otherwise it will require ports above 1024. The reason you cannot use port 443 for n2n, while you can use it for RW? You have both RW and n2n at the same time? You have another process binding port 443?

My understanding is that ports below 1024 are system ports related to the operating system and so you should keep away from them in case you select one for something that will later try and run and then fail because the port is already used.

I suspect that in the cgi perl code for the n2n connection it checks if the selected port is a system port and prevents you using it and I would expect that the same is expected for the rw connection but the software check has not been included in the code.

I want to run both RW and n2n, indeed, but with different tcp port. But Even if I turn off the RW openvpn instance, I cannot have the n2n instance binding the tcp port 443.

@bonnietwin I think you’re right, the check is done for the n2n config, while it’s not done for the RW config. I’m not sure this is done on purpose, or if I need to report a bug.

Hi all,
we did that for the first for both (RW and N2N) → Git - ipfire-2.x.git/blobdiff - html/cgi-bin/ovpnmain.cgi but after community wishes we decided to drop it for Roadwarriors since it makes sense in some environments to have the possibility to use ports <=1023 especially TCP 443 are widely used in some cases.




Hi Erik,

I am a bit surprised to read this snippet of your post:

[…] we decided to drop it for Roadwarriors […]

Most probably, I just misunderstood you; I am running exactly this configuration (OpenVPN for a bunch of roadwarriors, listening on TCP port 443 due to some crappy hotel WiFi networks) for some years. However, no N2N connections are in place, these are all handled by IPsec in my setup.

Please confirm I just got you wrong. :slight_smile:

Thanks, and best regards,
Peter Müller

Hi Peter,
yes this is a bit miss understandable, i meant we dropped the check

       if ($cgiparams{'DDEST_PORT'} <= 1023) {
               $errormessage = $Lang::tr{'ovpn port in root range'};
               goto SETTINGS_ERROR;

for Roadwarriors but we left it for N2N connections. Your example was exactly a use case why we dropped it for RWs at that time :wink: .




Hi Erik,

I see, thank you.

Peter Müller