Port forwarding explained via the visual metaphor of sea ports

Port forwarding allows incoming traffic to bypass your NAT (Network Address Translation) firewall and overcome some other security measures. It is commonly used to access your home computer remotely or to allow other users to connect to your public server.

That said, it also makes you more vulnerable to cyberattacks and other online threats, which is why it’s blocked by many VPN (Virtual Private Network) service providers.

Follow along to learn more about the benefits and risks associated with VPN port forwarding.

Table of contents

    How port forwarding works

    Port forwarding works by telling the router’s NAT system to let connections to specific ports pass through. Imagine the NAT as a post-forwarding service that has to open the package before passing it along. Port forwarding tells it where the package needs to go without being opened. Read on if you want an explanation of the more technical parts!

    Information transmitted from the World Wide Web to the router and then to a phone and laptop

    What (and why) are ports?

    In more technical terms, ports are addresses a device assigns to services and apps that need input from the outside (usually the internet). Due to mathematical reasons, port numbers range from 0 to 65,535. The first 1024 are historically assigned to the most common services. 

    For example, POP3, the protocol an email client uses to retrieve mail from the server, uses port 110. 

    And when the time comes for the internet data to be sent and received, the port number is added to the device’s IP (Internet Protocol) address (which is like the device’s home address, but on the internet), thus allowing the various processes involved to know which data package goes where. 

    If your IP was 321.45.678.90 and you used a POP3 email client, then data addressed to the email client would go to 321.45.678.90:110. 

    But then you need to deal with the NAT.

    What does the NAT do?

    The Network Address Translation exists because there is a scarcity of IP addresses online. Only your router’s IP address is unique – it’s called “public IP” as it’s the one online services see. The connected devices – phones, laptops, smart washing machines – get non-unique ones to communicate with the router only – they’re called “private IPs” as nobody on the internet can see them.  

    The NAT collects data packages from connected devices, writes down their addresses, slaps its own unique address on top, and forwards it online. However, anyone interacting with the router only sees its IP address, while the IPs of the devices connected to the router remain invisible. It becomes an issue when you want to connect to such devices outside your home network.

    What does this have to do with port forwarding?

    Port forwarding tells the NAT to expect and allow outside connections for a specific IP and port combination. This makes port forwarding vital for gaming – specifically, hosting servers.

    Want to connect to your Internet of Things cooker while away on holiday? Need to access your home computer while at work? Have a baby cam and want to use it while away? All of that is made possible by port forwarding. 

    Can you port forward with a VPN?

    Yes, you can. Although port forwarding might not be necessary for most VPN users, there are reasons why it might come in useful.

    Accessing your home network

    If you set up a virtual private network at your home, you may want to access it from a remote location. That’s when you need a VPN that forwards those ports. 

    Creating secure servers and home networks

    VPN port forwarding is key to creating secure servers and home networks, but this only applies to the most advanced users.  

    Having the above in mind, it’s probably clear why most users don’t need VPN port forwarding – if you have not run into it in your daily life, installing a VPN is unlikely to change that.

    If the need arises – for example, you decide to host your website on a server at home – you can set up port forwarding manually, as discussed later in this article. However, it can also be done automatically, making the life of the everyday user easier. It’s accomplished via the Universal Plug and Play.

    Automatic port forwarding, a.k.a. the Universal Plug and Play

    The words Universal Plug and Play under the Wi-Fi connection symbol

    The UPnP – Universal Plug and Play – is a set of protocols (read: communication rules) that make automated port forwarding happen. It allows devices on the same network to discover each other, open ports, and work together seamlessly. 

    The magic of the “zero-configuration networking” – creating networks that don’t require a human to set up – allows any UPnP compatible device from any manufacturer to join a network, get an IP address, make its presence known, and learn about other devices.

    This is a very convenient capability for home and small office networks. However, UPnP isn’t welcome in a business environment since a large number of devices, all shouting about their presence and capabilities on the local network, would take up a lot of traffic. 

    How widespread is UPnP? Well, some research into the subject found that 76% of routers are operating with UPnP enabled. Media devices were second with 27%. Chances are that you have a device working with it as well. 

    However, UPnP isn’t the only way to handle automatic port forwarding. A more secure – if limited – solution is port triggering

    Port forwarding vs. port triggering 

    Port forwarding and port triggering are similar concepts, though different in function. With port forwarding, the port is always open. That means devices outside the network are free to connect whenever. 

    With port triggering, a port is opened when a local device within the network requests something from outside the network. The port stays open long enough for the answer to come in and closes after some time. It doesn’t open when requested by incoming connections, making it nearly impossible for devices outside the network to open the ports.

    That’s why port triggering is the inferior option if you’re looking for the ability to access a webcam or home desktop computer remotely.

    Disclaimer: Surfshark is not responsible for security risks arising from using port forwarding.

    Disadvantages of port forwarding

    As mentioned before, not all VPN providers offer port forwarding functionality, and there are a few good cybersecurity reasons for that:

    Gives hackers a way in 

    Port forwarding can let hackers compromise your security. All they have to do is learn your ports and IP, and they can breeze past your firewall

    Bypasses VPN security 

    Imagine you got a VPN to secure your connection. Your data is encrypted, and your ISP is blinded – nobody knows where you’re connecting from. However, if you would decide to forward a port, which is possible with some VPNs, you would open a path into your systems that will bypass even the additional security layer granted by your VPN software. 

    Creates privacy breaches 

    Regular port-forwarding may be dangerous, but UPnP poses even more security risks. The fact that the process is automated makes it a lot easier for hackers and other malicious actors to exploit. In January 2019, a hacker group used vulnerabilities in UPnP routers to make Chromecasts, smart TVs, and Google Homes play videos urging users to subscribe to PewDiePew on YouTube. 

    Makes your devices a hub for hackers 

    This case is more annoying than harmful, but other UPnP exploits allowed hackers to use exposed devices in botnets, spam campaigns, and distributed-denial-of-service attacks. And that is aside from their ability to install malware, steal data (like logins and photos) and access your devices (like webcams).

    Get a VPN and antivirus in one

    Get Surfshark

    How to set up port forwarding on your router – Windows 10

    If you are still determined to have your ports forwarded, you can do it manually. It’s less straightforward than doing it with Universal Plug and Play (that’s why it exists), but in the end, the process isn’t too hard. 

    1. First, we need to make sure your device is using a static IP address. That’s why you should start by entering PowerShell in the search bar. 
    2. Right-click PowerShell and choose Run as Administrator. A window should open.
    1. Type-in Get-NetIPConfiguration and press Enter.
    1. Note down the values next to:
      • InterfaceIndex
      • IPv4Address
      • IPv4DefaultGateway
      • DNSServer
    1. Now type in -InterfaceIndex [the value of InterfaceIndex in Step #4] -IPAddress [the value of InterfaceIndex in Step #4] -PrefixLength 24 -DefaultGateway [the value of IPv4DefaultGateway in Step #4]. Note that you don’t need to enter the brackets, quotation marks, or the period – just the numbers.
    1. Press Enter. This will set the static IP address.
    2. Now type in Set-DnsClientServerAddress -InterfaceIndex [the value of InterfaceIndex in Step #4] -ServerAddresses [the value of DNSServer in Step #4]. Note that you don’t need to enter the brackets, quotation marks, or the period – just the numbers.Press Enter. This will set the static IP address.
    1. Press Enter. This will set the DNS server.

    The rest is a general outline to follow. The specifics of the act depend on the router in question:

    1. Login to your router. You usually do it by entering the Router address in your browser.
    2. Before switching from DHCP to Manual, write down the IPv4 address. 
    3. Locate the tab with port forwarding – the location and the name will depend on the router, so it may take you some time to find. 
    4. Input your chosen entrance and exit ports, and the chosen protocol. A safe bet is going over 1,000 and under 65,000 – here’s a list of ports used by some of the most common processes
    5. Enter either your static IP address or the local IP address of the device you desire to open port forwarding for.
    6. Click Enable or whatever similar button exists in your router’s user interface. 

    You have now enabled port forwarding on your router.

    How to set up port forwarding on your router – Mac OS

    Want to set up port forwarding on Mac OS? Here’s how you can do it. 

      1. Obtain a static IP address by following the instructions on the Apple website.
    1. Before switching from DHCP to Manual, write down the IPv4 address.
    1. Switch to Manual
    2. Write in the IPv4 address in the line which now reads 0.0.0.0, 
    3. Write down the router address.

    The rest is a general outline to follow. The specifics of the act depend on the router in question:

    1. Login to your router. You usually do it by entering the Router address in your browser.
    2. Before switching from “DHCP” to “Manual,” write down the IPv4 address.
    3. Locate the tab with port forwarding – the location and the name will depend on the router, so it may take you some time to find.
    4. Input your chosen entrance and exit ports, and the chosen protocol. A safe bet is going over 1,000 and under 65,000 – here’s a list of ports used by some of the most common processes.
    5. Enter either your static IP address or the local IP address of the device you desire to open port forwarding for.
    6. Click “Enable” or whatever similar button exists in your router’s user interface.

    You have now enabled port forwarding on your router.

    Setting up port forwarding for your VPN server

    If you have a VPN server at home and want to set up port forwarding to access it remotely via the internet, you can follow these instructions. Remember: specific details depend heavily on your router: 

    1. Open your router’s user interface. You usually do it by entering its IP address into your browser;
    2. Find the Port Forwarding screen/tab. You may need to click around;
    3. Depending on the type of VPN protocol you’re using, enter this:
      1. PPTP: set the Local Port to 1723 and Protocol to TCP for the PPTP itself, and Port 47 and Protocol “Other” for the GRE tunnel;
      2. IPSec: for the IPSec VPN tunnel, set the Local Port to 500 and Protocol to UDP, and Port 4500 with UDP Protocol for the IPSec tunnel;
      3. OpenVPN: Local Port set to 1194 and Protocol to UDP;
      4. IKEv2: this needs the Port to be set to 500 and Protocol to UDP;
      5. WireGuard: set the Port 51820 and Protocol to UDP.
    4. You can now set up a VPN connection on another computer by using the public IP of your VPN server.

    Disclaimer: Surfshark is not responsible for security risks arising out of using port forwarding.

    VPN clients and VPN port forwarding

    It is possible for VPNs to support the port forwarding functionality. Some VPNs out there allow full-on port forwarding. Others allow only some of the most popular ports through. In either case, it’s hard to know upfront, so if port forwarding is important to you, check the VPN’s website, contact its customer support, or read the FAQs to see if it does.

    Surfshark VPN does not support port forwarding. This decision was made with your security in mind. Opening a port means creating a hole in your cybersecurity that would allow access to your devices.

    Outside of that, there’s a possibility of other vulnerabilities being discovered. For example, “Port Fail” was unveiled in 2015. It was a side effect of a VPN port-forwarding which could leak the user’s real IP address online. As a VPN is meant to protect your privacy, IP address included, this wasn’t a great outcome. Not supporting port forwarding prevents Surfshark from succumbing to such exploits in the future. 

    Yes, disabling port forwarding will inconvenience a few users. However, increased security is worth the tradeoff

    In conclusion: don’t forward that port

    Port forwarding exists to make internet communication smoother and to let devices reach each other without firewall interruptions. However, opening the gates for unchecked connections from external devices poses some risks, especially if the process is automated with UPnP. It is for this reason that leading VPN providers, including Surfshark, have restricted port forwarding on their services. After all, the security of our user data is the most important goal.

    Get a VPN for better security

    Get Surfshark

    FAQ

    Is the VPN port forwarding safe?

    Port forwarding is never safe as it opens an insecure channel into your device for outside connections to access freely. 

    Can you get hacked through port forwarding?

    Yes, as port forwarding leaves a gaping hole in your cyber defenses. 

    Will port forwarding ruin my internet?

    Port forwarding will not ruin your internet connection unless you mess something up when enabling it. It can, however, make you vulnerable to hacking attempts.