port forwarding
Port forwarding is a computer networking solution that allows data coming from outside your home network to reach the right device. But how does it work with virtual private networks (VPNs)? Does it work with VPNs at all? Is port forwarding secure, and why is it often mentioned in the context of torrenting? All that is going to be covered in this article.

What are ports?

The operating system that runs your computer or a smart device depends on a lot of smaller processes working together. Some of those processes rely on information received from outside – via the internet. To make sorting of this incoming data easier, the processes and network services receive an identification number – a port. 

Due to mathematical reasons, port numbers range from 0 to 65,535. The first 1024 are historically assigned to the most common services. For example, POP3, the protocol an email client uses to retrieve mail from the server, uses port 110. And when the time comes for information to be sent and received, the port number is added to the device’s IP number, thus allowing the various involved processes to know which data package goes where.

How port forwarding works

port forwarding

Those port numbers are important because of the existence of the Network Address Translation (NAT) process in your router. There is a scarcity of IP addresses online, so only a router gets a unique address. To deal with the issue of computers and phones having IPs that have duplicates around the world, NAT collects data packages from connected devices, writes down their addresses, slaps its own unique address on top, and forwards it online. 

Usually, NAT makes the devices connected to the router invisible from the outside. Anyone interacting with the router only sees its IP address, while IPs of the devices connected to the router remain invisible. This becomes an issue when you want to connect to one of such devices from outside of your home network.

Want to connect to your Internet of Things cooker while away on holiday? Need to access your home computer while at work? Have a baby cam and want to use it while away? All of that is made possible by port forwarding. 

By setting up port forwarding on a router, you can enable easy connections to other devices connected to the router. It tells the NAT to expect outside connections for a specific IP and port combination. Thus, your home network is expanded to encompass all of the amazing gadgets you own.

Do you need VPN port forwarding?

Although port forwarding might not be necessary for most VPN users, there are reasons why it might come useful:

Accessing your home network: if you set a virtual private network at your home, you may want to access it from a remote location. That’s when VPN port forwarding becomes handy. 

Creating secure servers and home networks: this only applies to the most advanced users, but VPN port forwarding is key to creating secure servers and home networks.  

Seeding torrents: if you want to be a good torrent seeder (uploader), you may, in some cases, require VPN port forwarding. Most VPNs rely on a NAT firewall to protect the system from malicious attacks. Since NAT firewall only allows data that a device requests, it may prevent the remote connection from people who want to download the torrent you’re seeding as your PC isn’t asking them to do it. 

Having the above in mind, it’s clear why most users have no need for VPN port forwarding. If you have not run into port forwarding in your daily life, installing a VPN is unlikely to change too much.

If the need arises – for example, you decide to host your website on a server at home – you can set up port forwarding manually, and the process is discussed later in this article. However, it can also be done automatically to make the life of the everyday user easier. It’s done via Universal Plug and Play.

Automatic port forwarding, a.k.a. Universal Plug and Play

port forwarding

UPnP – Universal Plug and Play – is a set of protocols (read: communication rules) that make automated port forwarding happen. It allows devices on the same network to discover each other, open ports, and work together seamlessly. The magic of “zero-configuration networking” – creating networks that don’t require a human to set up – allows any UPnP compatible device from any manufacturer to join a network, get an IP address, make its presence known, and learn about other devices.

This is a very convenient capability for home and small office networks. However, UPnP isn’t welcome in a business environment since a large number of devices, all shouting about their presence and capabilities on the local network, would take up a lot of traffic. 

How widespread is UPnP? Well, one bit of research into the subject found that 76% of routers are operating with UPnP enabled. Media devices were second with 27%. Chances are that you have a device working with it as well. 

However, UPnP isn’t the only way to handle automatic port forwarding. A more secure – if limited – solution is port triggering. 

Port forwarding vs. Port triggering 

Port forwarding and port triggering are similar concepts, though different in function. With port forwarding, the port is always open. This means that devices outside the network are free to connect whenever. 

With port triggering, a port is opened when a device within the network requests something from outside the network. The port stays open long enough for the answer to come in and closes after some time. This means that it is nearly impossible for devices outside of the network to open the ports.

Nevertheless, port triggering compares negatively to port forwarding if what you’re looking for is the ability to remotely access a webcam or desktop computer at home.

Is VPN port forwarding secure?

As mentioned before, not all VPN providers offer port forwarding functionality, and there are a few good cybersecurity reasons for that:

Allowing hackers in: port forwarding can let hackers compromise your security. All they have to do is learn your ports and IP, and they can just breeze past your firewall. 

Bypassing VPN security: Now imagine you got a VPN to secure your connection. Your data is encrypted, your ISP is blinded, nobody knows where you’re connecting from. However, if you would decide to forward a port, which is possible with some VPNs, you would just open a path into your systems that will bypass even the additional security layer granted by any VPN software. 

Creating breaches in privacy: UPnP poses even more security risks. The fact that the process is automated makes it a lot easier to exploit for hackers and other malicious actors. In January 2019, a hacker group used vulnerabilities in UPnP routers to make Chromecasts, smart TVs, and Google Homes play videos urging to subscribe to PewDiePew on YouTube. 

Making your devices a hub for hackers: This case is more annoying than really harmful, but other UPnP exploits allowed hackers to use exposed devices in botnets, spam campaigns and distributed-denial-of-service attacks. And that is aside from their ability to install malware, steal your data (like logins and photos) and access your devices (like webcams).

How to set up port forwarding on your router – Windows 10

If you are still determined to have port forwarding, you can do it manually. It’s less straightforward than doing it with Universal Plug and Play (that’s why it exists), but in the end, the process isn’t too hard. 

  1. First, we need to make sure your device has a static IP address. That’s why you should start by entering “PowerShell” in the search bar. 
  2. Right-click PowerShell and choose “Run as Administrator. A window should open.
    port forwarding
  3. Type-in “Get-NetIPConfiguration” and press “Enter.”
    port forwarding
  4. Note down the values next to:
    1. InterfaceIndex
    2. IPv4Address
    3. IPv4DefaultGateway
    4. DNSServer
  5. Now type in “-InterfaceIndex [the value of InterfaceIndex in Step #4] -IPAddress [the value of InterfaceIndex in Step #4] -PrefixLength 24 -DefaultGateway [the value of IPv4DefaultGateway in Step #4].” Note that you don’t need to enter the brackets, quotation marks, or the period – just the numbers.

  6. Press “Enter.” This will set the static IP address. 
  7. Now type in “Set-DnsClientServerAddress -InterfaceIndex [the value of InterfaceIndex in Step #4] -ServerAddresses [the value of DNSServer in Step #4].” Note that you don’t need to enter the brackets, quotation marks, or the period – just the numbers.

  8. Press “Enter.” This will set the DNS server. 

Now, the rest is a general outline to follow as the specifics depend on the router in question:

  1. Login to your router. You usually do it by entering the IPv4DefaultGateway address we learned in step #4.
  2. Locate the tab with port forwarding. The location and the title of the tab depend heavily on the maker and router, so you may need to click around. 
  3. Input the entrance and exit ports you want to use as well as the protocol of choice. Going above 1,000, and under 65,000 is a safe bet. Here’s a list of the most usually used ports
  4. Enter either your static IP address or the local IP address of the device you need the port for (that address will naturally be different from your router address).
  5. If applicable, click “Enable” (or whatever button that works to that tune). 

It’s done, you are now forwarding ports.

How to set up port forwarding on your router – Mac OS

Want to set up port forwarding on Mac OS? Here’s how you can do it. 

  1. Obtain a static IP address by following the instructions on the Apple website.
  2. Before switching from “DHCP” to “Manual,” write down the IPv4 address.
  3. Switch to Manual. 
  4. Write in the IPv4 address in the line which now reads, 
  5. Write down the router address.

The rest is a general outline to follow. The specifics of the act depend on the router in question:

  1. Login to your router. You usually do it by entering the Router address in your browser.
  2. Before switching from “DHCP” to “Manual,” write down the IPv4 address. 
  3. Locate the tab with port forwarding – the location and the name will depend on the router, so it may take you some time to find. 
  4. Input your chosen entrance and exit ports, and the chosen protocol. A safe bet is going over 1,000 and under 65,000 – here’s a list of ports used by some of the most common processes
  5. Enter either your static IP address or the local IP address of the device you desire to open port forwarding for.
  6. Click “Enable” or whatever similar button exists in your router’s user interface. 

You have now enabled port forwarding on your router. 

Setting up port forwarding for your VPN server

If you have a VPN server in your home and want to set up port forwarding to access it from the internet, you can roughly follow these instructions. Remember: specific details depend heavily on your router. 

  1. Open your router’s user interface. You usually do it by entering its IP address into your browser. 
  2. Find the Port Forwarding screen/tab. You may need to click around. 
  3. Depending on the type of VPN protocol you’re using, enter this:
    1. PPTP: set the local port to 1723 and protocol to TCP for the PPTP itself, and port 47 and protocol “Other” for the GRE tunnel. 
    2. IPSec: for the IPSec VPN tunnel, set the local port to 500 and protocol to UDP, and port 4500 with UDP protocol for the IPSec tunnel. 
    3. OpenVPN: local port set to 1194 and protocol to UDP.
    4. IKEv2: this needs the port to be set to 500 and protocol to UDP
  4. You can now set up a VPN connection on another computer by using the public IP of your VPN server. 

Disclaimer: Surfshark is not responsible for security risks arising out of using port forwarding.

VPN clients and VPN port forwarding

It is entirely possible for VPNs to support port forwarding functionality. Some VPNs out there allow for full-on port forwarding. Others allow only some of the most popular ports through. In either case, it’s hard to know up front, so if port forwarding is important to you, check the VPN’s website, contact its customer support, or the FAQ to see if it does. 

Surfshark VPN does not support port forwarding. This decision was made with your security in mind. Opening a port means potentially creating a hole in your cybersecurity that would allow access to the user’s devices. 

Outside of that, there’s the possibility of other vulnerabilities being discovered. For example, “Port Fail” was unveiled in 2015. It was a side effect of a VPN port-forwarding which could leak the user’s real IP address online. As a VPN is meant to protect your privacy, IP address included, this wasn’t a great outcome. Not supporting port forwarding prevents Surfshark from succumbing to such exploits in the future. 

Yes, disabling port forwarding will inconvenience a few users. However, increased security is worth the tradeoff. 

In Conclusion

Port forwarding exists to make internet communication smoother and to let devices reach each other without interruptions from firewalls. However, opening the gates for unchecked connections from external devices poses some risks, especially if the process is made automatic with UPnP. It is for this reason why leading VPN providers, including Surfshark, have restricted port forwarding on their services. After all, the security of our user data is the most important goal. 

Forget port forwarding security issues

Get Surfshark