Port forwarding is a very useful tool that enables you to unblock resources and functions that were previously restricted. In this guide, we define port forwarding, tell you the advantages of using it, and show you how to set up securely.
What is Port forwarding ?
When you use the internet, your computer dedicates ports to specific functions. For example, if you are accessing an HTTPS website, your computer will direct this traffic to port 443.
Port Forwarding, or port mapping, reroutes this data from one port to another. Many (but not all) VPN services use a NAT firewall to help protect customers from malicious incoming connections. This is great, but it can also block incoming connections that you want or need. If a VPN offers port forwarding, it can be used to reroute incoming connections so that they bypass its NAT firewall. Using port forwarding when torrenting, you are able to access resources that would otherwise be blocked by the VPN server.
What can VPN port forwarding be used for?
The three main uses for port forwarding are:
- Improving torrent speeds
- Allowing remote access to your PC while away from home
- Letting you Access personal games or media servers set up on your LAN
Port forwarding and torrenting
Incoming connections allow other torrent users to connect to your BitTorrent client and download files. In other words, they allow you to seed. And the more you seed, the faster your downloads tend to be.
Seeding is also considered good netiquette, because nobody would be able to download anything without it. Torrenting is, after all, also called file-sharing for a reason!
A NAT firewall prevents others from initiating unsolicited new connections, although once a connection is established, incoming connections are permitted.
When another BitTorrent user wishes to download a file (or part of a file) that you have, it will try to initiate a connection with your BitTorrent client. If this is not possible thanks to a NAT firewall, it will alert your software that it wants to connect. Your BitTorrent client then initiates the connection, thereby bypassing the NAT firewall.
If the other downloader is not also behind a download a NAT firewall, then no problem. You can seed to them. When both parties are behind a NAT firewall, however, this is not possible as neither party can initiate a connection!
This makes the P2P process much less efficient for all users, and if the only people holding the file/file pieces that you want are also behind a NAT firewall, then tough cheese. As more people use VPNs to protect themselves while downloading, this problem is only likely to get worse.
Port forwarding solves the problem, but it should be stressed that it is not required for downloading. As long as everyone else sharing the same torrent isn't also behind a NAT firewall, you may not even notice the difference to your download speeds. You can also seed to them.
Since the benefits of port forwarding are often largely theoretical (especially for more casual torrent users), many torrent-friendly VPN services do not feel it is a feature worth offering.
Here we are downloading a file in qBitTorrent when connected to a VPN, but without port forwarding enabled. As we can see, download speeds are actually quite good despite upload speeds being very limited (but seeding nonetheless).
Port forwarding and eMule
Even more prominent than with BitTorrent, eMule requires that you have open UDP and TCP ports that are available from the internet to work at its best. If open ports are not accessible from the internet, this results in what is termed low ID.
You can still share files with low ID, but downloads will be much slower than if you have high ID. Port forwarding is, therefore, particularly important for eMule users.
One major catch, however, is that eMule does not play ball very well with modern firewalls. Thanks to UPnP, it can usually configure itself to work with local firewalls such as Windows Defender and router-level NAT firewalls automatically, but this does not work when also port forwarding through a VPN’s NAT firewall remotely.
Unfortunately, the only recourse if you want to use port forwarding to achieve high ID in eMule is to disable your Windows firewall. Needless to say, this is not ideal.
Check out our eMule VPN page for information about how to stay secure and private when using the BitTorrent client.
How to use VPN Port Forward - For Torrenting
If your VPN does not use a NAT firewall, then there is no need for remote port forwarding, anyway. If it does use a NAT firewall, then you can only port forward through it the VPN provider offers port forwarding as a feature.
Providers who support port forwarding will provide specific instructions on how to enable it for their service. Usually, it goes something like this:
- Enable VPN port forwarding. This is usually done in the user area of the VPN’s web interface but is sometimes done in the VPN client software. Some VPN services only allow port forwarding on specified servers.
AirVPN (above) allows you to specify up to 20 static ports to open using its web portal manually.
Mullvad lets you set up port forwarding using either its web interface or desktop client. Unlike AirVPN, open ports are randomly assigned, although it is not clear if they are dynamically allocated or static.
- Change the listening port used for incoming connections to a port number you chose or were assigned in step 1.
- Disable UPnP and/or NAT-PMP in the BitTorrent client. UPnP and/or NAT-PMP can be useful for bypassing local firewalls but are not useful for bypassing remote NAT firewalls. Worse yet, if enabled, they may try to route connections through your router rather than through the VPN interface. This may result in your real IP address being exposed even when using a VPN.
And here they are in Vuze. Pretty much every BitTorrent client will have similar settings in their options menus.
- With the torrent client running, visit CanYouSeeMe.organd enter the port number you have (hopefully) opened. Remember that an open port will only be detected if you have a program that is actively listening on that port.
All being well, you will see a message saying "Success.”
Note that even with port forwarding successfully enabled, you may still see a yellow icon (or similar) indicating that upload connections are not optimized. This is not a major problem, and you can simply ignore it.
You can also try port forwarding through your router’s NAT firewall manually, which requires setting up a static IP. See portforward.com for instructions on how to set up a static IP and port forward on almost every router on the market.
How to Port Forward Through a VPN NAT Firewall for eMule
- Enable VPN port forwarding, as seen in Step 1 for torrenting above.
- Open eMule and go to Options -> Connection -> Client Port. Make sure that "Use UPnP to Setup Ports” is not enabled.
- Disable your firewall. If using the default Windows Defender firewall, go to Settings -> Update & Security -> Windows Defender -> Open Windows Defender Security Centre -> Firewall & network protection -> and disable the firewall on all networks.
- Return to the eMule connection panel (step 1) and click "Test Ports." A web page will open, testing to see if ports used by eMule canb e reached from the web.
Hopefully, you will see something like the above!
Check out our what is NAT guide for a definition and explanation of what it does.
Is VPN port forwarding safe?
In theory, any open port on your computer provides a way in for hackers. In practice, only programs that are actively listening in on open ports are vulnerable.
Even if a hacker can somehow compromise your BitTorrent client, there is very little malicious they can actually do with it! If you have opened a port to allow remote access of your PC, on the other hand, a hacker could do a lot more damage. Even then, though, the remote software would need to have a known security vulnerability that the hacker could exploit.
An open port is an open port, and port forwarding through a VPN NAT firewall still leaves a port open. So, avoiding port forwarding through the VPN is safer than port forwarding, but port forwarding it is still pretty darn safe.
if you port forward through a VPN service, your connection remains securely encrypted by the VPN.
In 2015, Perfect Privacy published a security warning over VPN port forwarding, which it dubbed "Port Fail.” Despite the fact that network professionals have been aware of the issue since at least 2002, this "news” received a great deal of attention in the press.
Port Fail uses a fairly simple combination of time correlation and social engineering to expose the real IP address of other VPN users. The victim does not need to use port forwarding; it is the attacker who uses it.
This attack, however, is very easy to prevent. All a provider needs to do is set up different incoming and exiting IP addresses on its servers. What is a little surprising is that five of the nine port forwarding VPNs that Perfect Privacy tested had not implemented this basic security procedure!
Three of the providers fixed the flaw before Perfect Privacy published its warning, including Private Internet Access. The others appear never to have been named, and of course, many other providers were not tested.
Three years after the public furor over the issue, we certainly hope no VPN providers are continuing to make the same elementary mistake.
Static vs Dynamic VPN port forwarding
Some VPN services allow you to open a static port that does not change. Others will dynamically assign you a new port each time you make a new connection to one of their VPN servers. In practice, even dynamically assigned IPs often stay the same over long periods of time. But they can change, and when they do, users are often not aware of it.
Static port forwarding is usually more convenient for customers, as you do not need to change the port settings in your software regularly. Just to complicate the issue, though, some providers allow you to specify a static port but will then reset it at regular intervals!
Dynamic port forwarding, on the other hand, is automatically configured using UPnP, which makes it easier for them to implement. Again, the issue is complicated by the fact that some VPN services will reserve dynamically assigned IPs for as long as you continue to use them regularly.
If you need to access a personal server or other LAN resources behind a VPN connection, then you need to set up port forwarding. If you are just file sharing, you don’t - but it can improve performance (especially for eMule).
For more casual torrenters, the debatable benefits of port forwarding may not be worth the hassle of setting it up. Serious torrent-heads, however, will appreciate the performance gains and the fact that it benefits everyone using the BitTorrent network.
See our best VPN for torrenting guide for a list of services and further information about using a VPN when torrenting.
Image credit: By nmedia/Shutterstock.