What is port forwarding? Does it work with a VPN?

Port forwarding is a crucial networking concept that enables advanced device connectivity — from hosting games to accessing your home network remotely. When using a VPN (Virtual Private Network), port forwarding becomes more complex but remains possible and sometimes necessary. Whether you’re a networking novice or just VPN-curious, we’ll explore how these technologies interact and when you might want to use them together.

What is port forwarding?

Port forwarding is a networking technique that creates a direct path for external devices to reach specific services within your private network. Like a digital traffic controller, it directs incoming data to the right device on your local network. 

Port forwarding is essential for online gaming, remote desktop access, and hosting servers — allowing specific external traffic to reach your device by creating targeted openings in your network’s security barrier.

How port forwarding works

Port forwarding is achieved by creating a direct route for specific traffic to reach a designated device or service within a private network. To understand how exactly port forwarding works, it’s essential to break it down into its key components:

What are ports?

Ports are virtual gateways used to manage and differentiate traffic on your network. They act as endpoints for communication, ensuring the right data reaches the correct application. For example:

• Port 80: used for HTTP web traffic;
• Port 443: used for HTTPS (secure web traffic);
• Port 3389: used for Remote Desktop Protocol (RDP).

Each application or service running on a device is assigned a specific port to streamline the data flow. Without ports, the incoming and outgoing data streams would be chaotic and unmanageable.

What does NAT do?

Network Address Translation (NAT) is a router feature that allows multiple devices on your private network to share one public IP address (the router’s), acting like a traffic manager for your network connections. 

While NAT typically blocks incoming traffic for security, port forwarding tells it exactly which external connections to allow and where to send them on your network.

What does this have to do with port forwarding?

Port forwarding modifies NAT’s default behavior by explicitly telling it to forward traffic from a specific port to a designated device or service within the private network. 

For example:

1. A user sets up port forwarding for Port 3389 to enable remote desktop access.
2. The router is instructed to forward any traffic on Port 3389 to the user’s computer on the local network.
3. External devices can now connect to the local computer using the public IP address and the forwarded port.

In essence, port forwarding creates a direct path through NAT, allowing external devices to access internal resources while maintaining a degree of control over the process.

Automatic port forwarding: UPnP vs. port triggering

Manually configuring port forwarding can be cumbersome, especially if multiple devices or applications require specific port access. To streamline the process, automatic port forwarding methods like Universal Plug and Play (UPnP) and port triggering were developed. Both methods aim to simplify port forwarding, but they function in distinct ways:

UPnP

UPnP is a protocol that allows devices to automatically open ports on the router when needed. This eliminates the need for manual setup and is often used by gaming consoles, streaming devices, and smart home systems.

How it works:

1. A device sends a UPnP request to the router, asking it to open a specific port.
2. The router dynamically creates the necessary port forwarding rules.
3. Once the device no longer needs the port, the router can close it, although this is not always guaranteed.

UPnP simplifies network management, providing an ideal solution for everyday users who want their devices to communicate seamlessly without technical intervention, especially when these devices frequently update their network settings. 

However, UPnP’s convenience comes with significant security risks. The protocol’s automatic nature can create temporary security gaps, making you vulnerable to external threats. Malware and malicious devices can potentially exploit these openings to gain unauthorized access to your network, compromising your online security.

Port triggering

Port triggering is a more secure alternative to UPnP, offering dynamic port forwarding with additional safeguards. Instead of devices opening ports directly, the router is programmed to open a port when specific outgoing traffic is detected automatically.

How it works:

1. The router monitors outgoing traffic for a specific port or application.
2. When the specified traffic is detected, the router temporarily opens the necessary port for incoming traffic.
3. Once the outgoing traffic stops, the port is closed.

Port triggering enhances network security by creating only temporary openings in your network. Unlike traditional port forwarding, which maintains permanent open ports, this dynamic approach automatically closes ports when they’re not in use, significantly reducing the window of vulnerability for potential attacks.

While more secure than UPnP, port triggering has notable limitations. The setup process requires more technical knowledge compared to simpler solutions, and its single-device restriction means that only one device can use a triggered port at a time — which can be problematic in networks where multiple devices need simultaneous access to the same service.

Port forwarding vs. port triggering

While both methods serve to simplify network communication, the choice between port forwarding and port triggering depends on your priorities:

Feature	Port forwarding	Port triggering
Setup	Manual	Automatic, after configuration
Security	Permanently open ports (less secure)	Temporary ports (more secure)
Ease of use	Requires technical know-how	Simpler, once set up
Use case	Hosting servers or remote access	Applications requiring intermittent connectivity

Disadvantages of port forwarding

While port forwarding can be a powerful tool for enabling remote access and managing network traffic, it also opens the door to several risks. Here’s a breakdown of the potential downsides to keep in mind when using port forwarding:

Makes your devices a hub for hackers

An open port doesn’t just pose risks to your own network — it can also turn your devices into conduits for malicious activities outside of it:

• Hackers could use your device as a launch point for attacks on other networks;
• Malware or ransomware can exploit forwarded ports, spreading across the network or siphoning sensitive data.

Bypasses VPN security

A VPN encrypts your internet traffic and routes it through a secure server, shielding your data from prying eyes. However, port forwarding can undermine this protection:

• When a port is forwarded, incoming traffic bypasses the VPN, exposing your network to direct interaction with external sources;
• This creates a vulnerability where unencrypted traffic can reach your devices, negating the privacy benefits of a VPN.

Exposes internal devices to direct external access

When you open a port, you essentially invite external traffic to bypass your router’s natural defenses. This exposure can be a major vulnerability if:

• An unprotected smart home device, such as a thermostat or camera, becomes reachable from outside the network;
• A poorly secured gaming console or media server is left open to potential exploits;
• This direct access gives malicious actors an opportunity to interact with devices that were meant to stay private.

Could lead to unexpected service disruptions

Port forwarding often operates on a “set it and forget it” principle, but misconfigurations or forgotten settings can lead to unintended problems:

• If multiple devices attempt to use the same port, it can cause conflicts and connectivity issues;
• An open port that no longer serves a purpose might still attract traffic, potentially overwhelming your network or creating unnecessary slowdowns;
• These disruptions can be particularly frustrating in environments that rely on smooth connectivity, like remote work or gaming setups.

Introduces risks from outdated firmware or software

Even if you’re diligent about configuring port forwarding correctly, outdated software can still be a weak link:

• Routers with old firmware may have security flaws that hackers can exploit via open ports;
• Applications and services relying on forwarded ports may lack proper encryption or patches, leaving them vulnerable to known exploits.

May unintentionally reveal your network’s structure

Port forwarding can inadvertently give hackers clues about your network’s setup:

• Specific ports are associated with certain applications or services. If these are left open, attackers can deduce what devices or services you’re running;
• This information can be used to craft targeted attacks, such as identifying and exploiting a vulnerable media server or remote desktop protocol;
• Such insights make your network an attractive target for attackers looking for easy entry points.

Could be exploited for data interception

Forwarded ports may allow malicious actors to insert themselves into the communication path:

• Traffic flowing through an open port is potentially visible to attackers, especially if encryption is not enforced;
• Sensitive information, like login credentials or personal data, could be intercepted during transit, leading to significant privacy breaches.

How to set up port forwarding on your router — Windows 10

If you prefer direct control, manual port forwarding is still an option. While it requires more effort than using UPnP, the process is manageable with some basic guidance:

1. First, we need to make sure your device is using a static IP address. Start by entering PowerShell into the search bar. 
2. Right-click PowerShell and choose Run as Administrator. A window should open.

3. Type in Get-NetIPConfiguration and press Enter.

4. Note down the values next to:

• InterfaceIndex
• IPv4Address
• IPv4DefaultGateway
• DNSServer

5. Now enter the following, replacing brackets with corresponding values from Step #4:
   -InterfaceIndex [the value of InterfaceIndex] -IPAddress [the value of InterfaceIndex] -PrefixLength 24 -DefaultGateway [the value of IPv4DefaultGateway]

6. Press Enter. This will set your static IP address.
7. Now enter the following, replacing brackets with corresponding values from Step #4: Set-DnsClientServerAddress -InterfaceIndex [the value of InterfaceIndex] -ServerAddresses [the value of DNSServer]

8. Press Enter. This will set up the DNS server.
9. The remaining steps vary by router model, but here’s the general process:
   

1. Access your router’s settings by entering its IP address in your web browser;
2. Note down your current IPv4 address before switching from DHCP to Manual;
3. Find the port forwarding section in your router settings (check your router’s manual if needed);
4. Configure your ports:
   

• Choose entrance and exit port numbers (typically between 1,000 and 65,000);
• Select the appropriate protocol;
• Reference common port listings if unsure;
  

5. Enter either your static IP address or the local IP address of the target device;
6. Save your settings by clicking Enable or the equivalent option in your router’s interface.

10. Congrats, you have now successfully enabled port forwarding on your router!

How to set up port forwarding on your router — macOS

Here’s how to set up port forwarding on macOS:

1. First, get a static IP address by following the instructions on Apple’s website.

2. Before making any changes, write down your current IPv4 address.

3. In your network settings, change from DHCP to Manual configuration.
4. Enter the IPv4 address you wrote down in the field that currently shows 0.0.0.0.
5. Note down your router’s address for future reference.

6. The remaining steps vary by router model, but here’s the general process:

1. Access your router’s settings by entering its IP address in your web browser;
2. Note down your current IPv4 address before switching from DHCP to Manual;
3. Find the port forwarding section in your router settings (check your router’s manual if needed);
4. Configure your ports:
   

• Choose entrance and exit port numbers (typically between 1,000 and 65,000);
• Select the appropriate protocol;
• Reference common port listings if unsure;
  

5. Enter either your static IP address or the local IP address of the target device;
6. Save your settings by clicking Enable or the equivalent option in your router’s interface.
   

7. Congrats, you have now successfully enabled port forwarding on your router!

VPN with port forwarding: what you need to know

While VPNs shield your network and port forwarding opens it up to outside connections, these seemingly opposing technologies can work together effectively if configured properly.

Can you use port forwarding with a VPN?

Yes, it is possible to use port forwarding with a VPN, but it depends on the VPN service you are using. Not all VPN providers offer port forwarding as an option due to the security and privacy risks it may introduce.

Surfshark VPN does not support port forwarding. We made this decision with your security in mind — while port forwarding can be useful, it also opens a potential access point in your network that could expose your devices to unauthorized connections. Protecting your privacy and security remains our top priority.

When a VPN does allow port forwarding:

• The VPN assigns you a specific port number that is opened for external traffic;
• Any requests to this port are routed through the VPN’s secure server and forwarded to your device;
• This ensures that your public IP remains hidden even though the port is open.

Forwarding ports with a VPN allows for secure remote access to home networks, servers, and devices while maintaining privacy through encrypted connections — whether hosting game servers, managing smart home systems, improving P2P (peer-to-peer) performance, or accessing personal files from anywhere.

It’s important to check with your VPN provider to see if they support port forwarding and how to configure it if they do.

Conclusion: finding the right balance

Port forwarding and VPNs can work together effectively, opening up possibilities from game hosting to remote network access. However, these tools require careful security consideration, as they can create potential access points in your network that might expose your devices to unauthorized connections.

Frequently Asked Questions

Is VPN port forwarding safe?

VPN port forwarding can be safe if implemented correctly and used with a reliable VPN provider. However, it does create an additional entry point to your network, so ensure strong security practices, like using secure ports and complex passwords, to minimize risks.

Can you get hacked through port forwarding?

Yes, poorly configured port forwarding can expose your devices to external attacks, especially if the forwarded port is tied to an insecure service or application. To reduce this risk, use secure ports, enable firewalls, and keep all devices and applications updated.

Will port forwarding ruin my internet?

Port forwarding itself will not ruin your internet, but misconfigured settings can lead to connectivity issues or create bandwidth bottlenecks. Proper configuration and avoiding conflicts with existing network settings will ensure a smooth internet experience.

Does port forwarding improve speed?

Port forwarding does not directly increase your internet speed but can enhance the performance of specific applications, such as P2P clients or video games. Allowing direct communication reduces latency and optimizes data flow for those services.