Top10VPN is editorially independent. We may earn commissions if you buy a VPN via our links.

VPN Ports Explained

Updated Jul 18, 2024

JP Jones

JP Jones is our CTO. He has over 25 years of software engineering and networking experience, and oversees all technical aspects of our VPN testing process. Read full bio

Our Verdict

VPN ports are communication channels that enable the secure transfer of data between your device and a VPN server. Each VPN protocol uses a specific port number by default, although most protocols allow this port number to be changed by the VPN server operator. For example, OpenVPN typically uses port 443 for TCP and port 1194 for UDP, while WireGuard uses port 51820.

VPN ports function as the start and end points for your VPN connection, ensuring that your internet traffic remains secure and private as it travels between your device and the VPN server.

Different VPN protocols use different port numbers, and some VPN services allow you to customise the port you use, too. This allows you to control how your web traffic is organised and assigned as you browse the web.

A VPN can also help you by blocking open ports on your device, which can pose a security risk. Some VPNs also support port forwarding, which enables an external device to connect directly to an application on your device, bypassing your local firewall.

VPN ports can be a complex and often confusing subject, so we’ve created this guide to help explain exactly what VPN ports are and why they matter.

Why Trust Us?

We’re fully independent and have been reviewing VPNs since 2016. Our ratings are based on our own testing results and are unaffected by financial incentives. Learn who we are and how we test VPNs.

The Role of VPN Ports in Network Communication

A “VPN port” is the port your VPN uses to communicate with the VPN server. The port number will depend on which VPN protocol you’re using, which are the rules your VPN uses to create a secure tunnel to the VPN server.

Common protocols include WireGuard and OpenVPN (which uses either UDP or TCP as its communication protocol).

OpenVPN (UDP) uses port 1194, while OpenVPN (TCP) uses port 443. WireGuard uses port 51820. You can see a full list of VPN protocols and the ports they use below.

VPN ports might be allocated for other services as well as the VPN, and multiple protocols can share some ports. Port 443, for example, is used for both encrypted web traffic and VPN communications using WireGuard or OpenVPN (TCP).

The port used doesn’t affect how the VPN works. The OpenVPN (TCP) protocol can use port 443 (which is also used for secure web traffic) or port 80 (used for unencrypted web traffic). In either case, the VPN establishes a secure, encrypted tunnel with its server.

However, some VPN ports, like port 443, are less likely to be blocked by firewalls because they’re commonly used for other internet traffic (e.g. HTTPS).

EXPERT ADVICE: If your VPN port is blocked, the easiest way to change it is to choose a different protocol that uses a different port. Port 443 is almost never blocked because it’s used for all secure web traffic. Students have been able to bypass campus firewalls where OpenVPN UDP is blocked by switching to TCP on port 443.

Common VPN Port Numbers for Different Protocols

VPN protocols are designed to set up a secure connection with the server using an agreed port number. Here’s a table showing common VPN protocols and the ports they use by default:

VPN Protocol	Ports
OpenVPN	UDP port 1194 TCP port 1194, 443, or 80
WireGuard	UDP 51820
IKEv2/IPSec	UDP ports 500 and 4500
SoftEther	TCP ports 443, 992, and 5555 UDP port 1194
L2TP/IPSec	UDP ports 500 and 4500 TCP port 1701
SSTP	TCP port 443
PPTP	TCP port 1723

Are Some VPN Ports More Secure than Others?

VPN ports themselves are neither secure or insecure. The security comes from the software you’re using to create a VPN tunnel or exchange data. There is no encryption built into the virtual network ports, and there are no special features in the ports to support it.

For example, TCP port 443 is used for transferring encrypted web traffic (HTTPS) and can be used by OpenVPN, a secure and trustworthy protocol. However, if you use it with the SSTP protocol, there might be a backdoor in the software giving access to US intelligence.

That means you can use port 443 in a highly secure or potentially risky way, depending on your choice of VPN protocol.

Most websites today use HTTPS encryption for traffic, which travels through port 443. Unencrypted web pages go through port 80, so you might think that’s a risky port to use.

However, if you use OpenVPN (TCP) with port 80, it’s still secure. The VPN adds a secure encrypted tunnel for the server communications, even though port 80 is typically used for unencrypted communications.

The Security Implications of Open Ports

An open port is one that allows all incoming connections. In order for a connection to be successful, there needs to be an application listening for a connection on that port.

Open ports that are not well configured are a security risk. Attackers can use them to work out what services you are running and identify vulnerabilities. If it were misconfigured, for example, someone could probe port 161 to find out about a business’s network, including user names and attached hardware.

Port scanning is a technique used by security professionals and hackers for identifying open ports. It works by sending requests to the ports on a device to discover which ones are open.

Some ports are known to have vulnerabilities, so you should ensure they are not open unless you need them. Some can be attacked by using a program that tries passwords until it finds one that works (known as brute-forcing), by faking the origin of traffic, or using Distributed Denial of Service (DDoS) attacks.

In some cases, ports can be used by malware to communicate with its server, sending data and receiving instructions and code.

A good firewall or VPN will close any ports that don’t need to be open. A VPN will also add encryption to all traffic, protecting communications that do not have their own encryption.

Here’s a list of vulnerable ports:

Port Numbers	Used For
20 and 21	File Transfer Protocol (FTP), used for transferring files to and from a web server.
22	Secure Shell (SSH), used for managing a machine remotely.
23	Telnet, for remote machine access and control.
25	Simple Mail Transfer Protocol (SMTP) for email.
53	Domain name system (DNS) for finding website servers.
80, 443, 8080, 8443	HTTP and HTTPS web traffic.
137, 139, 445	Server Message Block (SMB), for sharing resources such as printers on a network.
161	Small Network Messaging Protocol.
1080	SOCKS proxies.
1433, 1434, 3306	SQL Server and MySQL databases.
3389	Remote desktop on Windows.
4444	Transport Control Protocol (TCP).
6660-6669	Internet Relay Chat (IRC).

What Are VPN Port Forwarding and NAT?

Network address translation (NAT) is the process that routes traffic between public and private IP addresses, so that data arriving at your router, for example, can be directed to the correct device on your local network.

Your router has a NAT firewall to block any unexpected traffic and keep your devices safe. It can be one of three NAT types: Open, Moderate, or Strict.

A strict NAT type is best for security, but it makes it harder for external devices to communicate with your devices, especially on peer-to-peer connections.

Port forwarding is a process where you manually open a port and assign it to certain types of network traffic. It speeds up some applications, such as torrenting and gaming, and enables torrents to be seeded.

Port forwarding allows devices on the internet to access specific devices within your local area network.

If port forwarding is provided through your VPN software, it will be port forwarding from the public IP address of the VPN server you’re connected to, to a port on your local device.

There are security risks, though: port forwarding bypasses the NAT firewall, which protects you from malicious internet traffic. It can also cause IP leaks when torrenting with a VPN, which means your real identity could be exposed.

Because of these risks, few VPNs allow port forwarding. Out of the 61 VPNs we’ve reviewed, only 12 currently support it. AirVPN has the best customization options, but Private Internet Access is our highest-rated VPN with port forwarding.

Best Practices for VPN Port Forwarding

Your VPN will close all the ports that it doesn’t need for its secure VPN tunnel. That helps to ensure that no traffic leaks and your device is safe from external threats.

However, if you use port forwarding, you will bypass your VPN’s firewall, and open up an external port. This may expose you to some of the security risks we mentioned above.

To minimise your risk:

Use a reputable VPN. The port fail vulnerability was identified in 2015 and enables someone to discover the true IP address of somebody with port forwarding enabled. Although the attack is somewhat elaborate and uncommon, reputable VPNs quickly protected against it.
Limit your exposure. Only open the ports required for your gaming, torrenting, or other applications. Close them when you’ve finished.
Use strong passwords. Protect your game servers and other software with strong passwords that you regularly change. This helps to protect against brute-force attacks.
Patch. Update your software regularly to remove known security vulnerabilities.
Keep it secret. Don’t share your public IP address or open port number in public forums.
Protect your anonymity. Port forwarding requires a static IP address, which is a privacy vulnerability when combined with an open port number. Change the port you’re forwarding regularly, and use a private payment method to protect your identity. Private Internet Access automatically selects a random port for you, to help protect your privacy.

VPN Port Blocking & Bypassing

Because VPNs encrypt your traffic, they make it very difficult for your ISP or network administrator to see what you’re doing. This means it’s much harder for them to block websites, throttle torrenting activity, or prevent other bulk downloads.

For this reason, ISPs and network administrators sometimes ban VPNs by blocking all traffic on the ports they use. For example, the firewall could stop OpenVPN (UDP) traffic by not allowing connections on port 1194.

One way to get around this is to use port 443. It’s the same port as the one used for encrypted (HTTPS) web traffic, so it’s impossible to block it without breaking almost all internet access.
Not all VPN protocols support port 443, so you might need to change your protocol. You can use port 443 with OpenVPN (TCP), SoftEther, and SSTP (although we don’t recommend SSTP).

Some VPNs also support port 80, which is normally used for unencrypted web traffic. Again, blocking this would interfere with web traffic. OpenVPN (TCP) can use port 80 and the VPN has its own encryption, so it’s safe.

If you’re in a country with strict VPN controls, changing your port won’t be enough to use a VPN safely. Deep packet inspection can be used to identify that you’re using a VPN, even though your traffic remains encrypted.

Some VPNs also have additional ‘obfuscation’ features to disguise your traffic and make it harder for authorities to see you’re using a VPN.

FAQs

What Is the Default Port for a VPN?

Your VPN’s default port depends on the VPN protocol you’re using. For OpenVPN UDP, it’s 1194. For OpenVPN (TCP) it’s 1194 or 443. WireGuard uses port 51820. Protocols using IPSec use ports 500 and 4500. Other defaults are 443, 992 and 5555 (SoftEther), 1701 (L2TP), and 1723 (PPTP).

Can I Change the Port My VPN Uses?

The easiest way to change the port your VPN uses is to choose a different protocol. If WireGuard is blocked on your network, try OpenVPN (TCP) on port 443. Port 443 is almost never blocked, because it is used for ecommerce, banking, and all HTTPS-encrypted web pages.

Do I Need to Know about VPN Ports as a Regular VPN User?

Your VPN will almost always take care of ports for you. If you experience a problem because a particular port is blocked, you may be able to fix it by choosing a different protocol that uses port 443, such as OpenVPN (TCP).