OpenVPN: Running OpenVPN and a Webserver at same TCP Port


OpenVPN has the ability to act like a HTTP Reverse Proxy Server. This feature is called port sharing. Means if OpenVPN detects non VPN traffic it proxy the connection to an specific host and port.

First of all setup OpenVPN as descripted in my previous post.

Let us assume both OpenVPN and a Webserver should reachable at TCP 443, also both running on the same machine.

Configure the Webserver to bind network only to and port 9443. For example lighttpd

$SERVER["socket"] == "" {

Then configure OpenVPN (/etc/openvpn/vpnsrv.conf) to run as TCP Server at TCP Port 443. Replace the following directives

# vpn server dns name
remote 1194
# Fallback in case of name cannot resolve
remote 1194
proto udp


# vpn server dns name
# Fallback in case of name cannot resolve
proto tcp-server
port 443
# Dynamic Source Port

and add the port sharing option. To Monitor proxy activity a folder is specified. OpenVPN will then create for each Proxy session a file in the folder /var/run/openvpn/proxy

port-share localhost 9443 /var/run/openvpn/proxy

This folder must created each time Linux starts because /run/ respectively /var/run is volatile (mounted as tmpfs). To create the folder at startup create a new file /etc/tmpfiles.d/openvpn-proxy.conf

D /var/run/openvpn/proxy 0755 root root

Change your client config so it also points to TCP/443.

Thats its


Leave a Reply