VPNs remain an essential security tool for businesses that need to transfer sensitive data over the web. When organizations implement remote access to a physical location or they need to publish an online service, they sometimes use a feature called port forwarding.
While some VPN vendors offer port forwarding as part of their solutions, others do not, citing privacy concerns. This article explains what port forwarding is, how it works, its benefits and drawbacks, and how businesses can use it best.
Table of contents
What is port forwarding?
Port forwarding is a networking technique that forwards traffic from one network node to another, allowing external devices or services to access computers on an internal private network.
Port forwarding requires manual configuration and assignment of a port to selected traffic, which is then relayed directly to the recipient through the configured port.
Note that port forwarding involves opening an additional port to the internet, which represents a potential point of entry for cyberattackers. Therefore, only use port forwarding when you are sure of what you are doing.
How does port forwarding work?
In a virtual private network (VPN), the router or VPN server controls traffic passing in and out of the secured environment, ensuring that legitimate traffic reaches the protected endpoints, but barring all other access to protect the network from online threats.
This is called network address translation (NAT), and the VPN gateway/router functions as a NAT firewall, deciding what traffic may pass in and out.
When port forwarding is enabled, the network router or VPN server directs traffic directly to a device on the internal network by opening up a specific port through which the traffic may pass.
You could say that port forwarding is a sort of exemption from the NAT rules, as configuring port forwarding allows the traffic to bypass the NAT.
3 types of port forwarding:
- Local port forwarding – Allows a local port to be forwarded to a remote host. This is used to access online services that are normally restricted.
- Remote port forwarding – Forwards a remote port to a local host. This is a common scenario, used in remote desktop access or hosting online services.
- Dynamic port forwarding – In dynamic port forwarding, the forwarded port is not configured in advance, but assigned dynamically when the connection is established.
What are the common use cases of port forwarding?
VPN port forwarding has several uses. Below are the two most relevant to business needs.
Remote desktop access
Port forwarding can establish a direct communication between a remote device and a local computer. This connection is very fast and allows the user to access systems as if they were physically present at the local device.
However, this scenario represents a major security risk, and should only be used with trusted and highly secure devices combined with appropriate security measures (such as IP whitelisting where only specified public IP addresses are allowed entry).
Hosting online services
Port forwarding can be used to direct internet traffic to a selected port on a client device that is hosting a public-facing service, such as a website, while the VPN is active.
In this scenario, port forwarding allows visitors from the internet to access a local host even though this host is shielded by the VPN.
What is a port?
In computer networking, a port (or port number) is a numerical identifier of an endpoint or service taking part in a connection. For example the most common transport protocols, like TCP and UDP use port numbers.
A port number forms a tandem with the host’s IP address, and together they identify the connection, so that data is successfully routed from the sender to the recipient.
Certain port numbers are reserved for specific services as a general standard. Clients then know which is the “default” port for these services.
Here are a few examples of port numbers of well-known services:
- FTP = 20, 21
- SSH = 22
- SMTP = 25
- HTTP = 80
- HTTPS = 443
Advantages of port forwarding
Easy remote access
Port forwarding enables remote devices on the web to access a computer protected by a VPN by opening a non-standard port. Note that this can be a security hazard and precautions, like IP whitelisting, must be taken.
Port forwarding enables you to set up a local host to run a public-facing online service even though your VPN is running. Especially in cases where ISPs don’t provide a public IP address, this is often the only way to publish an online service.
Disadvantages of port forwarding
Potential entry point
As mentioned above, enabling port forwarding opens up a potential point of entry that hackers can use to bypass your security, as the open port will allow them unrestrained access past your firewall.
Hackers use a technique called port scanning to discover open ports on a server or network router, which is a simple method of locating exploitable, often non-standard, ports to sneak in.
Hogging to a service
When only one device has exclusive access to a port reserved for a specific service, other devices on the network will be barred from using that service.
How to set up port forwarding in GoodAccess
Setting up port forwarding in GoodAccess is easy. If you aren’t a GoodAccess user yet, give our unlimited free trial a try. Every feature will be available to you for 14 days free of charge.
First, log in to your GoodAccess Control Panel at https://sign.goodaccess.com/
Navigate to the Gateways section and click the “Edit gateway” button.
Then, click the Port forwarding button and Create port forward.
Fill out the form as follows:
- Team Member: Select the member or device you want to forward incoming traffic to
- Service Name: Name your new port forwarding rule
- Public Port / Range: Enter the public port number or range
- Local Port / Range: Enter the local port number or range
- Protocol: Choose between the TCP or UDP protocol
When you’re done, click Save to create the rule.
Now, your active port forwarding rule should appear in the gateway detail under “Port forwarding”.
VPN port forwarding is a handy tool that you can use to enable remote access or host online services. However, opening up a port represents a legitimate risk and extra care should be taken whenever you decide to use it.
Always ensure your remote and local devices can be trusted and are properly secured. Access should be granted on a least-privilege basis to reduce the impact of potential breaches.