The Ultimate Guide to VPN Port Forwarding

Port forwarding is a very useful tool that enables you to unblock resources and functions that were previously restricted. In this guide, we define port forwarding, tell you the advantages of using it, and show you how to set up securely.

 

What is Port forwarding ?

When you use the internet, your computer dedicates ports to specific functions. For example, if you are accessing an HTTPS website, your computer will direct this traffic to port 443.  

Port Forwarding, or port mapping, reroutes this data from one port to another. Many (but not all) VPN services use a NAT firewall to help protect customers from malicious incoming connections. This is great, but it can also block incoming connections that you want or need. If a VPN offers port forwarding, it can be used to reroute incoming connections so that they bypass its NAT firewall. Using port forwarding when torrenting, you are able to access resources that would otherwise be blocked by the VPN server.

What can VPN port forwarding be used for?

The three main uses for port forwarding are:

Port forwarding and torrenting

Incoming connections allow other torrent users to connect to your BitTorrent client and download files. In other words, they allow you to seed. And the more you seed, the faster your downloads tend to be.

Seeding is also considered good netiquette, because nobody would be able to download anything without it. Torrenting is, after all, also called file-sharing for a reason!

A NAT firewall prevents others from initiating unsolicited new connections, although once a connection is established, incoming connections are permitted.

When another BitTorrent user wishes to download a file (or part of a file) that you have, it will try to initiate a connection with your BitTorrent client. If this is not possible thanks to a NAT firewall, it will alert your software that it wants to connect. Your BitTorrent client then initiates the connection, thereby bypassing the NAT firewall.

If the other downloader is not also behind a download a NAT firewall, then no problem. You can seed to them. When both parties are behind a NAT firewall, however, this is not possible as neither party can initiate a connection!

This makes the P2P process much less efficient for all users, and if the only people holding the file/file pieces that you want are also behind a NAT firewall, then tough cheese. As more people use VPNs to protect themselves while downloading, this problem is only likely to get worse.

Not required

Port forwarding solves the problem, but it should be stressed that it is not required for downloading. As long as everyone else sharing the same torrent isn't also behind a NAT firewall, you may not even notice the difference to your download speeds. You can also seed to them.

Since the benefits of port forwarding are often largely theoretical (especially for more casual torrent users), many torrent-friendly VPN services do not feel it is a feature worth offering.

Port Forwading 1

Here we are downloading a file in qBitTorrent when connected to a VPN, but without port forwarding enabled. As we can see, download speeds are actually quite good despite upload speeds being very limited (but seeding nonetheless).

Port forwarding and eMule

Even more prominent than with BitTorrent, eMule requires that you have open UDP and TCP ports that are available from the internet to work at its best. If open ports are not accessible from the internet, this results in what is termed low ID.

Emule Low Id 1

You can still share files with low ID, but downloads will be much slower than if you have high ID. Port forwarding is, therefore, particularly important for eMule users.

One major catch, however, is that eMule does not play ball very well with modern firewalls. Thanks to UPnP, it can usually configure itself to work with local firewalls such as Windows Defender and router-level NAT firewalls automatically, but this does not work when also port forwarding through a VPN’s NAT firewall remotely.

Emule Low Id 2 E1526904812219

Unfortunately, the only recourse if you want to use port forwarding to achieve high ID in eMule is to disable your Windows firewall. Needless to say, this is not ideal.

How to use VPN Port Forward - For Torrenting

If your VPN does not use a NAT firewall, then there is no need for remote port forwarding, anyway. If it does use a NAT firewall, then you can only port forward through it the VPN provider offers port forwarding as a feature.

Providers who support port forwarding will provide specific instructions on how to enable it for their service. Usually, it goes something like this:

  1. Enable VPN port forwarding. This is usually done in the user area of the VPN’s web interface but is sometimes done in the VPN client software. Some VPN services only allow port forwarding on specified servers.

    Port Forwading 2

    AirVPN (above) allows you to specify up to 20 static ports to open using its web portal manually.

    Port Forwading 3

    Mullvad lets you set up port forwarding using either its web interface or desktop client. Unlike AirVPN, open ports are randomly assigned, although it is not clear if they are dynamically allocated or static.
  2. Change the listening port used for incoming connections to a port number you chose or were assigned in step 1.
  3. Disable UPnP and/or NAT-PMP in the BitTorrent client. UPnP and/or NAT-PMP can be useful for bypassing local firewalls but are not useful for bypassing remote NAT firewalls. Worse yet, if enabled, they may try to route connections through your router rather than through the VPN interface. This may result in your real IP address being exposed even when using a VPN.

    Port Forwading 5

    Port Forwading 6

    Port Forwading 7

    And here they are in Vuze. Pretty much every BitTorrent client will have similar settings in their options menus.
  4. With the torrent client running, visit CanYouSeeMe.organd enter the port number you have (hopefully) opened. Remember that an open port will only be detected if you have a program that is actively listening on that port.

    Port Forwading 4

All being well, you will see a message saying “Success.”

Other issues

Note that even with port forwarding successfully enabled, you may still see a yellow icon (or similar) indicating that upload connections are not optimized. This is not a major problem, and you can simply ignore it.

You can also try port forwarding through your router’s NAT firewall manually, which requires setting up a static IP. See portforward.com for instructions on how to set up a static IP and port forward on almost every router on the market.

How to Port Forward Through a VPN NAT Firewall for eMule

  1. Enable VPN port forwarding, as seen in Step 1 for torrenting above.
  2. Open eMule and go to Options -> Connection -> Client Port. Make sure that “Use UPnP to Setup Ports” is not enabled.

    Emule Port Forwarding 1

  3. Disable your firewall. If using the default Windows Defender firewall, go to Settings -> Update & Security -> Windows Defender -> Open Windows Defender Security Centre -> Firewall & network protection -> and disable the firewall on all networks.
  4. Return to the eMule connection panel (step 1) and click "Test Ports." A web page will open, testing to see if ports used by eMule canb e reached from the web.

    Emule Port Fowrding Sucess

Hopefully, you will see something like the above!

Is VPN port forwarding safe?

Open ports

In theory, any open port on your computer provides a way in for hackers. In practice, only programs that are actively listening in on open ports are vulnerable.

Even if a hacker can somehow compromise your BitTorrent client, there is very little malicious they can actually do with it! If you have opened a port to allow remote access of your PC, on the other hand, a hacker could do a lot more damage. Even then, though, the remote software would need to have a known security vulnerability that the hacker could exploit.

An open port is an open port, and port forwarding through a VPN NAT firewall still leaves a port open. So, avoiding port forwarding through the VPN is safer than port forwarding, but port forwarding it is still pretty darn safe.


Note

if you port forward through a VPN service, your connection remains securely encrypted by the VPN.

Port Fail

In 2015, Perfect Privacy published a security warning over VPN port forwarding, which it dubbed “Port Fail.” Despite the fact that network professionals have been aware of the issue since at least 2002, this “news” received a great deal of attention in the press.

Port Fail uses a fairly simple combination of time correlation and social engineering to expose the real IP address of other VPN users. The victim does not need to use port forwarding; it is the attacker who uses it.

This attack, however, is very easy to prevent. All a provider needs to do is set up different incoming and exiting IP addresses on its servers. What is a little surprising is that five of the nine port forwarding VPNs that Perfect Privacy tested had not implemented this basic security procedure!

Three of the providers fixed the flaw before Perfect Privacy published its warning, including Private Internet Access. The others appear never to have been named, and of course, many other providers were not tested.

Three years after the public furor over the issue, we certainly hope no VPN providers are continuing to make the same elementary mistake.

Static vs Dynamic VPN port forwarding

Some VPN services allow you to open a static port that does not change. Others will dynamically assign you a new port each time you make a new connection to one of their VPN servers. In practice, even dynamically assigned IPs often stay the same over long periods of time. But they can change, and when they do, users are often not aware of it.

Static port forwarding is usually more convenient for customers, as you do not need to change the port settings in your software regularly. Just to complicate the issue, though, some providers allow you to specify a static port but will then reset it at regular intervals!

Dynamic port forwarding, on the other hand, is automatically configured using UPnP, which makes it easier for them to implement. Again, the issue is complicated by the fact that some VPN services will reserve dynamically assigned IPs for as long as you continue to use them regularly.

Conclusion

If you need to access a personal server or other LAN resources behind a VPN connection, then you need to set up port forwarding. If you are just file sharing, you don’t - but it can improve performance (especially for eMule).

For more casual torrenters, the debatable benefits of port forwarding may not be worth the hassle of setting it up. Serious torrent-heads, however, will appreciate the performance gains and the fact that it benefits everyone using the BitTorrent network.

See our best VPN for torrenting guide for a list of services and further information about using a VPN when torrenting.

Image credit: By nmedia/Shutterstock.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

3 Comments

  1. drummerdave4689

    on January 12, 2019
    Reply

    All sounds good except for that online port checker didn't work for me (failed no matter what)... I had to download a port checking program from here: http://www.pcwintech.com/simple-port-tester

  2. 0x274832 VPN Junky

    on July 25, 2018
    Reply

    Additional extending 3rd Step with specific port to prevent all other ports to be accessed: 3rd Add allow single IP Address to your VPN Provider over “eth0” on a specific port UDP 1194 for example!

  3. 0x274832 VPN Junky

    on July 25, 2018
    Reply

    Corresponding to "VPN Port Fail Attack" only the attacker needs Portforwarding! This is not client related! You can forward as many ports as you wish without leaking your real IP-Address. Port Fail catches you even if you do not port forward a single port nor allow no incoming traffic! Solution for Client side: Example your default Gateway is 192.168.0.1 and its on Device eth0. 1st Block ALL (INCOMING AND OUTGOING) Traffic on "eth0"! 2nd Add allow outgoing traffic for DNS to 9.9.9.9 and UDP Port 53 over "eth0" 3rd Add allow single IP Address to your VPN Provider over "eth0" so this rule Set blocks any other outgoing traffic over your default Gateway! Even if someone request you to connect over your defaul route, this will block ALL traffic except the direct connection to the VPN Gateway. The Attacker can not listen on IP Address of VPN Server and UDP 1194 at the same time!!! This is how I block anyone from reroouting my traffic over eth0!!!

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives: