VPN and Tunnel Ports: OpenVPN (1194), WireGuard (51820), IPsec (500)

VPN and Tunneling Ports

VPN protocols create encrypted tunnels for secure communication across untrusted networks.

Modern VPN Protocols

Port	Protocol	Transport
51820	WireGuard	UDP
1194	OpenVPN	UDP (preferred) or TCP
443	OpenVPN over HTTPS	TCP

WireGuard (Port 51820)

WireGuard is the modern standard for VPN tunneling:

• Minimal code base (~4,000 lines vs ~100,000 for OpenVPN)
• Built into the Linux kernel since 5.6
• Uses state-of-the-art cryptography (ChaCha20, Curve25519)
• UDP only, which provides better performance than TCP-based VPNs

OpenVPN (Port 1194)

OpenVPN is the most widely deployed open-source VPN:

• UDP 1194: Default and preferred (lower latency)
• TCP 443: Fallback when UDP is blocked (masquerades as HTTPS)

IPsec / IKEv2

Port	Protocol	Purpose
500	IKE	Key exchange (UDP)
4500	NAT-T	IPsec NAT traversal (UDP)

IPsec with IKEv2 is built into most operating systems and is the standard for enterprise and mobile VPNs.

Legacy Protocols (Avoid)

Port	Protocol	Issue
1723	PPTP	Known cryptographic weaknesses
1701	L2TP	Must be combined with IPsec

PPTP should never be used — its authentication protocol (MS-CHAPv2) has been broken since 2012.

SSH Tunneling (Port 22)

SSH can create encrypted tunnels without dedicated VPN software:

# Local port forwarding (access remote DB locally)
ssh -L 3306:db-server:3306 user@jump-host

# Dynamic SOCKS proxy
ssh -D 1080 user@remote-server

# Reverse tunnel (expose local port remotely)
ssh -R 8080:localhost:3000 user@public-server