ECC port 5060?

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at :)
Posts: 8
Joined: Mon Jul 24, 2017 2:47 am

ECC port 5060?

Post by maltfield » Thu Jul 05, 2018 11:38 pm


Why do your ecc servers listen on port 5060 instead of 443?

I was just on a network the other day that had a very strict outgoing port whitelist. They only allowed traffic out on ports 21, 53, 80, 143, 443, 465, 587, 993, 1935, and 4070. Everything else was just dropped before it reached the Internet.

* ... tquiz-net/

In the network described above, I would have been effectively banned from cs's ecc servers. Indeed, many networks permit 5060 out, but I think we can all agree that far, far more would allow 443 out.

I imagine that's why the other cs configs use 443, which I've always appreciated.

* ... vpn#L7-L10

So why did you change to 5060 for the ecc configs? Is there any reason they can't change to use 443?

User avatar
Site Admin
Posts: 1262
Joined: Wed Feb 05, 2014 3:47 am

Re: ECC port 5060?

Post by parityboy » Fri Jul 06, 2018 10:22 pm


The non-ECC instances are already running on UDP/443 which helps to support clients which do not or cannot have the latest version of OpenVPN installed. Additionally, I do not know if OpenVPN can auto-negotiate between ECC and non-ECC ciphers.

Perhaps it can't?

User avatar
Site Admin
Posts: 472
Joined: Thu Jan 01, 1970 5:00 am

Re: ECC port 5060?

Post by df » Tue Oct 09, 2018 1:44 am

The ECC instances and the new Ed25519 and Ed448 instances use ports 5060, 5061, and 5062.
The reason for this was as parityboy said, the non-ECC instances are already using other ports.
Only way for us to offer ECC on other ports would be to buy twice (or rather, 3 times) as many IP addresses as we already have.

Scratch that.
OpenVPN can't, but other things might be able to.
Recently I've been playing with the iptables u32 extension and haproxy, and I think I figured out a way to do RSA & ECC on the same IP and the same port (u32 for UDP, haproxy for TCP).
After I do more tests to make sure this will actually work in all scenarios, when/if this gets implemented that'll mean people can use the RSA OR ECC configs to connect to any port between 1 and 29999 (30000-65535 will still be reserved for port forwarding).
Ed25519 & Ed448 will most likely still be limited to ports 5061 and 5062 though. But that's not that big of a deal since those two require OpenSSL 1.1.1, which most people don't have yet.

User avatar
Site Admin
Posts: 472
Joined: Thu Jan 01, 1970 5:00 am

Re: ECC port 5060?

Post by df » Sat Nov 10, 2018 9:30 pm

Yay! I was able to implement network-wide the thing I mentioned in the previous post.
So now ECC is no longer restricted to port 5060.
The range of ports that'll work now are:

RSA UDP = 1-29999
RSA TCP = 1-5060,5063-29999
ECC UDP = 1-5060,5063-29999
ECC TCP = 1-5060,5063-29999
Ed25519 is still 5061 only, and Ed448 is still 5062 only.

The current widget still has 5060 hard coded for ECC, so I'll release an updated version soon, and update the openvpn configs so ECC defaults to 443 instead of 5060, then I'll announce the whole thing on twitter and