The trick that I found was not to make OpenVPN run on multiple ports, but instead to get iptables to forward any and all connections coming into a range of ports to the OpenVPN port.

First off was getting iptables to forward a port range to the OpenVPN port. To do that, I used Destination NATing, or DNAT:

sudo iptables -t nat -A PREROUTING -p udp –match multiport –dport 10000:40000 -j REDIRECT –to-ports $openvpn_port
sudo iptables -t nat -A OUTPUT -p udp –match multiport –dport 10000:40000 -o lo -j REDIRECT –to-ports $openvpn_port

Then we need to open the ports on the AWS Security Group

I’ve also changed the link-mtu option simply to make it harder for pure protocol detection to detect the packets as OpenVPN packets.

Add this to Client Config:

link-mtu 1400

The final step was making the OpenVPN client connect to random ports. To do this, we’re going to make use of connection profiles – essentially, just declaring multiple combinations of IP addresses and ports that you want OpenVPN to connect to. When combined with the remote-random option in the client side config file, OpenVPN should randomly go through the list and connect to a random port. To simplify matters, I turned to PHP to generate the 64 random IP/port combinations to paste into the config file:



for($i = 0; $i &lt; 65; $i++) {

$IP = "";
$foo = "remote " . $IP . " " . rand(10000, 40000);
$result = chunk_split ($foo, 27, "\r\n");
echo $result;


Simply change the $IP to your ip
You can run this code on
Then paste this list of remote lines into the client config.
Also enable this line in your client config
This makes the connection random!

sudo sh -c "iptables-save &gt; /etc/iptables.rules"
How to: Getting OpenVPN to run on random ports

Leave a Reply

Your email address will not be published. Required fields are marked *