We love free and open web!

OpenVPN: Sharing a Port with a Web Server

Often on locked-down networks, only ports like 80 and 443 will be allowed out for security reasons, and running OpenVPN instances on these allowed ports can help you get out in situations where access may otherwise be restricted.

However there maybe an instance where you already have a webserver (eg: Apache, Nginx) running on port 80 or 443(SSL). Luckily OpenVPN has the port-share option which lets you share the OpenVPN port with another application, such as an HTTPS server.

The port-share option doesn't actually let you share the port since you cannot really make two applications listen/bind on the same port. It actually works like a port forwarder or a proxy. This option works by making your web server listen on a different port and then letting OpenVPN forward all HTTP/HTTPS connection to your webserver.

The OpenVPN port-share Manual Entry

--port-share host port

When run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh.

How to make it work?

  1. First we need to make our webserver listen to a different port.

    On Apache you need to change you configuration file by changing the listen line to: Listen 4545

    If you are using Nginx change the listen line to: listen;

  2. Now that the port 443 is no longer being used by your webserver, we can now make OpenVPN use that port. Any non-OpenVPN traffic that goes to this port has to be forwarded to your webserver by OpenVPN.

    To make OpenVPN listen to port 443 and have other connections forwarded to your webserver, edit your configuration file and add these lines.
    proto tcp
    port 443
    port-share 4545
  3. That's it! You can now connect to your OpenVPN server on Port 443 while you can still browse your website as if it was listening also on port 443.