It’s the one thing when I’m configuring things that makes me wince because I know it will give me the business, and I know it shouldn’t, but it does, every time. I have no real idea what I’m doing, what it is, how it works, so of course I’m blindly following instructions like a monkey at a typewriter.

Please guide me into enlightenment.

  • WolfLink
    link
    fedilink
    arrow-up
    7
    ·
    8 months ago

    The port is used by the destination computer to decide what program should process the request.

    Any program on your computer that needs to be open to being contacted by another computer over the network needs to be assigned to a port. When the remote computer wants to contact that program, the IP address is used by intermediate networking computers to forward the message, and the port is used by your computer to pass the message to the right program. Blocking a port will prevent the program assigned to it from being contacted by other computers.

    Some ports are traditionally assigned to some common programs. When you go to a website via http in a browser, it uses port 80 if you don’t specify. If you use https, it uses port 443. SSH uses port 22 by default. You can host an ssh server or http website on a different port, those are just the common conventions. If an http website is hosted on a port other than 80, the user will need to specify the port number in the browser as part of the url.

    VPNs are usually not so much about ports, more about IP addresses. When your computer wants to contact another computer, it normally sends the request to the router, and that router forwards that request either to another computer on LAN or to the ISP, and that ISP forwards the request and so on… based on the IP address. If you are using a VPN, that VPN will override certain IP addresses. When a message would be sent to one of those IP addresses, instead it gets packaged and sent to the IP address specified in the VPN config, and the computer on the other side of the VPN decides where to send the message from there. The router sends the packages message to the VPN computer, but doesn’t get to know what the IP of the packaged message is (by packaged I mean encrypted, and with some metadata).

    Where VPNs and Ports end up being relevant is probably in relation to port forwarding. Normally your computer can make requests to the internet, but can’t be contacted by the internet. This is because your entire LAN shares a public (WAN) IP address, and the router is the device that receives all messages to that IP address. Normally the router discards such incoming messages, but if you set up port forwarding, the router will forward messages for a certain port to a certain computer on the LAN.

    A VPN can allow your computer to receive incoming requests without opening a port on the router. When a request meeting requirements specified in the VPN config is received by the computer on one side of the VPN, it will be forwarded to the computer on the other side of the VPN. For a public VPN (the kind you would pay for that are typically advertised as a privacy tool or a way to get around Netflix geofencing), you can sometimes configure port forwarding, meaning any request sent to that port on the VPN’s server will get forwarded to your computer connecting to the VPN (typically to the same port, so what happens to that request is up to you to configure a program to be assigned to that port).

    The other way a VPN can be used for that kind of contact is when it maps all requests to any port on a set of IP addresses. This is typically how office VPNs are configured, as it lets a remote user access things on the office network as if that user was in the office.

    Note that a VPN is itself a pair of programs communicating with each other like any other program, so typically setting up a VPN requires one of the computers to be exposed to the internet (or at least have ports set up for that). For a public paid VPN the VPN’s servers will be exposed to the internet, and for a corporate VPN the corporate servers will be closed, such that the client doesn’t have to.

    Some common VPN software (e.g. WireGuard) is free and open source and can be configured in a lot of different ways! These two common use cases are just the most common ways to configure VPNs, but if you have some creative use case, there’s a lot you could do with it.