Dec 2, 2017

Choose a VPN port

Choose a VPN port

If you don't want your VPN traffic to stand out either to an admin casually seeing it as they are troubleshooting something, or, more importantly, to network monitoring scripts and utilities that show admins pretty graphs of what their network is doing, choose your port accordingly.

UDP Ports:

If circumventing a firewall block is not neccessary, or the firewall is open on one or more of these UDP ports, UDP is recommended over TCP. There will be a substantial difference in performance all around, especially for SIP/VoIP. TCP ports should only be used if trying to stay under the radar of your local admin/ISP and/or getting out past a restrictive firewall that blocks the UDP ports.

TCP Ports:

TCP port 443 has ability to pass through nearly any firewall, but it is slower than a UDP port will be. But it is often the best choice because we many public WIFI do not allow UDP 1194. 

And you need VPN most when you are using public WIFI.

Network utilities will record and graph traffic according to the port it is passing over. In addition, because the traffic is encrypted and the port is known to carry encrypted traffic, they can't identify it by anything but port. But there are things to consider if you want to blend in.

For example, an admin may get curious enough over a connection to a single https website (port 443) that lasts all day and/or sends enough traffic to be noticed on his graph to check into it, whereas seeing an all day connection with periodic bursts of traffic to imaps (port 993) is expected behavior and should blend right in (as long as imaps is allowed and used by more than just you). Encrypted moderate traffic over 5190 is expected. Video or data conferencing? Same thing, but heavier. If you want to look like you are just playing games, choose the gaming port.

Which port will it best blend in on? Is that port one that would be expected to be used? How many others will be using it for it's legit purpose? These are all additional considerations for you if your goal is not to stick out to your local admin and his pretty network traffic graphs, threshold alarms, and other automated monitoring tools.