ExpressVPN UDP 51820 Port Configuration With SSTP
ExpressVPN UDP 51820 Port Configuration With SSTP
ExpressVPN, by default, often utilizes UDP port 51820 for its OpenVPN configurations. However, situations arise where UDP is unreliable or blocked, necessitating a fallback. Secure Socket Tunneling Protocol (SSTP) offers a robust alternative, encapsulating VPN traffic within an HTTPS connection (typically TCP port 443). This document explores how to configure ExpressVPN to preferentially use UDP 51820, but seamlessly transition to SSTP when UDP is unavailable, enhancing reliability without sacrificing performance where UDP is viable. The key is in the OpenVPN client configuration.
The ExpressVPN OpenVPN configuration files (usually .ovpn files) need modification. You'll likely have separate .ovpn files for UDP and SSTP. The goal is to create a single configuration that attempts UDP 51820 first, then falls back to SSTP. This involves merging relevant parts of both configurations.
Primary UDP Configuration: Retain the original UDP .ovpn file as the primary. Ensure it contains lines like:
remote example.expressvpn.com 51820 udp
where example.expressvpn.com is the specific ExpressVPN server and 51820 is the UDP port.
SSTP Fallback: Add the SSTP configuration directives to the same .ovpn file after the UDP directives. Critically, use the remote directive again, but this time for the SSTP server and port (typically 443). Also, include directives specific to SSTP, such as proto tcp and tls-client. A minimal SSTP section might look like this:
remote example.expressvpn.com 443 tcp
proto tcp
tls-client
port 443
http-proxy-option EXT1
http-proxy-option EXT2
Note: The http-proxy-option lines are often necessary for SSTP to function correctly, mimicking HTTPS traffic. Consult your ExpressVPN SSTP .ovpn file for the correct values. The server address (example.expressvpn.com) should ideally be the same as the UDP server for seamless transition.
client Directive: Ensure the .ovpn file contains the client directive near the top. This tells OpenVPN it's a client configuration.
nobind Directive: Include nobind to allow the OpenVPN client to dynamically select a source port, which can improve connectivity.
When switching between UDP and SSTP, routing and DNS resolution should remain consistent. ExpressVPN usually pushes DNS settings via the VPN tunnel. Verify that the dhcp-option DNS directives are present in your .ovpn file, or that you have block-outside-dns enabled in your OpenVPN client settings, to prevent DNS leaks. No specific routing changes are typically needed, as the VPN server handles routing. However, if you have custom routing rules, ensure they apply to the VPN interface regardless of whether UDP or SSTP is in use.
Your firewall must allow both outbound UDP traffic on port 51820 and outbound TCP traffic on port 443. If UDP 51820 is blocked, the OpenVPN client will automatically attempt the SSTP connection. A restrictive firewall that only allows TCP 443 will force the SSTP connection. No special firewall rules are needed to facilitate the fallback; it's handled by the OpenVPN client based on connectivity.
After configuring the combined UDP/SSTP .ovpn file, test the connection. Use a network monitoring tool (e.g., tcpdump, Wireshark) to observe the traffic. Initially, you should see UDP packets on port 51820. If these fail (due to blocking or network issues), the client should automatically switch to TCP port 443 (SSTP). The OpenVPN client logs are crucial for troubleshooting. Look for messages indicating connection attempts to both UDP 51820 and TCP 443. Common issues include incorrect server addresses, firewall restrictions, or misconfigured SSTP options. Verify the ExpressVPN credentials are correct in both UDP and SSTP configurations.