GL-SFT1200 how to close port 443 (ShieldsUp!)

Shodan · May 14, 2022, 10:24am

I have noticed that after setting up OpenVPN client and connecting to a VPN service, I do a portscan with ShieldsUp over the VPN and get a warning that port 443 is open.

There is nothing I can see in any VPN settings, in the .ovpn config file, or firewall rules (not even in Luci).
How can I block this?

vvv · May 14, 2022, 10:58am

ShieldsUp! is scanning the IP address you’re visiting it from, that is: the outgoing IP from your VPN.

This is usually a shared IP, and if 443 is open it’s probably something at your VPN provider… though you can quickly figure it out by going to https://IPADDRESS in a browser.

wcs2228 · May 14, 2022, 5:07pm

If you have confirmed that TCP 443 should not be open, then you can add a WAN-to-LAN firewall rule to block (drop or reject) it via LuCI → Network → Firewall → Traffic Rules.

I do not work for and I do not have formal association with GL.iNet

vvv · May 15, 2022, 7:32am

Per default though all incoming ports are blocked, so if this was the case it was because OP has installed something or manually opened port 443.

The weird thing is that when I go to ShieldsUP! to test, it detects the VPN and refuses to run the test.

Shodan · May 15, 2022, 12:58pm

I think you are onto something here. I have tested Surfshark with other devices and they all respond to port 443 when running shieldsup from them. I have asked the, to explain why their vpn clients behave in this odd way.

wcs2228 · May 15, 2022, 3:58pm

On my GL.iNet routers, Port TCP 443 is not explicitly blocked in Traffic Rules. My network is not set up for me to test adding the WAN-to-LAN firewall rule and ShieldsUp does not detect any problem.

If Shodan can add the firewall rule as an override and something breaks, then that may show what is listening on that port.

I do not work for and I do not have formal association with GL.iNet

vvv · May 15, 2022, 4:17pm

No absolutely not explicitly, all ports are.

alzhao · May 16, 2022, 3:56am

How do you scan?

When vpn is connected you should see UI like this. If you do not enable “Access Local Network”, the firewall is closed on the VPN interface.

Pls note you cannot scan the VPN IP from your local machine, in my case is 10.8.3.5. When you scan locally you scan from the lan side which all ports are open.

Shodan · May 16, 2022, 10:09am

On a device connected via a VPN service to the Internet, you visit grc.com and their ShieldsUp Service. When you initiate a scan it is grc’s server that scans towards the IP where your browser is connecting from (they will indicate to you what IP you are connecting from).

alzhao · May 16, 2022, 10:27am

Then this is a scan of the vpn server’s config, right?