Asklemmy

If an IP address is like a building address for a mall, ports are like suite numbers of the different businesses inside the mall.

There are a few types of ports, but mostly you deal with tcp and udp. Tcp ports create a connection, udp is connectionless.

The port is used by the destination computer to decide what program should process the request.

Any program on your computer that needs to be open to being contacted by another computer over the network needs to be assigned to a port. When the remote computer wants to contact that program, the IP address is used by intermediate networking computers to forward the message, and the port is used by your computer to pass the message to the right program. Blocking a port will prevent the program assigned to it from being contacted by other computers.

Some ports are traditionally assigned to some common programs. When you go to a website via http in a browser, it uses port 80 if you don’t specify. If you use https, it uses port 443. SSH uses port 22 by default. You can host an ssh server or http website on a different port, those are just the common conventions. If an http website is hosted on a port other than 80, the user will need to specify the port number in the browser as part of the url.

VPNs are usually not so much about ports, more about IP addresses. When your computer wants to contact another computer, it normally sends the request to the router, and that router forwards that request either to another computer on LAN or to the ISP, and that ISP forwards the request and so on… based on the IP address. If you are using a VPN, that VPN will override certain IP addresses. When a message would be sent to one of those IP addresses, instead it gets packaged and sent to the IP address specified in the VPN config, and the computer on the other side of the VPN decides where to send the message from there. The router sends the packages message to the VPN computer, but doesn’t get to know what the IP of the packaged message is (by packaged I mean encrypted, and with some metadata).

Where VPNs and Ports end up being relevant is probably in relation to port forwarding. Normally your computer can make requests to the internet, but can’t be contacted by the internet. This is because your entire LAN shares a public (WAN) IP address, and the router is the device that receives all messages to that IP address. Normally the router discards such incoming messages, but if you set up port forwarding, the router will forward messages for a certain port to a certain computer on the LAN.

A VPN can allow your computer to receive incoming requests without opening a port on the router. When a request meeting requirements specified in the VPN config is received by the computer on one side of the VPN, it will be forwarded to the computer on the other side of the VPN. For a public VPN (the kind you would pay for that are typically advertised as a privacy tool or a way to get around Netflix geofencing), you can sometimes configure port forwarding, meaning any request sent to that port on the VPN’s server will get forwarded to your computer connecting to the VPN (typically to the same port, so what happens to that request is up to you to configure a program to be assigned to that port).

The other way a VPN can be used for that kind of contact is when it maps all requests to any port on a set of IP addresses. This is typically how office VPNs are configured, as it lets a remote user access things on the office network as if that user was in the office.

Note that a VPN is itself a pair of programs communicating with each other like any other program, so typically setting up a VPN requires one of the computers to be exposed to the internet (or at least have ports set up for that). For a public paid VPN the VPN’s servers will be exposed to the internet, and for a corporate VPN the corporate servers will be closed, such that the client doesn’t have to.

Some common VPN software (e.g. WireGuard) is free and open source and can be configured in a lot of different ways! These two common use cases are just the most common ways to configure VPNs, but if you have some creative use case, there’s a lot you could do with it.

It would really help to know what concepts you are already familiar with and feel like you understand. Edit: it would also be helpful to know what you are trying to do that has you working with ports or using a VPN. There are countless situations where ports and VPNs are involved. /Edit Lacking that, I'm going to cover a lot of basic concepts. I'm assuming typical/common situations, as always it can always be different and more complicated. Wall of text incoming.

Typical basic networks are a collection of devices that are able to communicate with each other through some medium like a wired network or WiFi. Each device In a network will have an IP address (a set of four numbers between 1 and 254 divided by periods for example: 192.168.1.100). For one device to send a message to another device, it addresses the message to the device using its IP Address. This is like sending a letter in the mail - you need to mark the letter with the street address or it won't be delivered.

Now sticking with this analogy, if I wanted to send you a letter and you lived in a hotel or apartment complex without a dedicated address just for you, I need to make sure to address the letter not just to your building but also to you specifically. This is where ports come in. If I want to join your Minecraft server, I need to be able to reach your computer specifically and I also need to make sure my Minecraft game is talking to your Minecraft server and not your web browser or something. Software listens for specific ports. So to join a Minecraft server hosted on your computer with the address 192.168.1.100 I'd need to also specify the port so that the Minecraft server software know my messages are for it specifically.

That's the ELI5 version.

Stepping up the complexity now. In most cases, joining someone's Minecraft server is more complicated because I'm on my home network, and my router is connected to the internet, and through the internet I connect to your router and then from your router I need to connect to your computer. The way this works is that each of our routers are on two different networks - our home network and the Internet.

Most home networks will look very similar. There are ranges of addresses that are reserved for local (non internet) network devices, such as my example IP address - 192.168.1.100. It is possible that each of our networks (and countless other home networks) have a device with this IP address so I can't just send a message to 192.168.1.100 and have it get to your networks 192.168.1.100 address. Fortunately, routers act as middlemen and coordinate communication between devices inside our network and devices on the internet. Think of the router as a fancy doorman outside the hotel or apartment who knows what room all of those living there are staying.

Unfortunately, it is often the case that my computer will not know the IP address of your computer within your network. You can work around this by using port forwarding. I write "Minecraft" on the letter and you instruct your doorman that any letter with "Minecraft" written on it should be delivered to your Minecraft server. In reality, you'd forward any traffic from the internet with a specific port number directly to your Minecraft server computer. The computer running the server is already "listening" for traffic on that port and will take it from there.

Now for more complicated stuff. Technically, ports are rather arbitrary. Some ports are standardized. As someone else had mentioned, port 80 is the standard for HTTP and 443 is standard for HTTPS (encrypted). However, nothing is stopping you from hosting a webserver on a server using a different port, like port 12345. Your web browser will assume port 80 and the webserver will ignore your web browser until you tell your browser to use port 12345. It is also possible for multiple service or pieces of software to have the same port which causes problems. I have a server on my home network and multiple services that display a web page (port 80 or 443). They can't all use the same port so I have to work around this by either using different ports or assigning each a different IP address.

So what does "opening" a port mean? Well, as you might imagine there are many pieces of software and many services running on devices in your home network. As a security precaution, many routers will block or ignore any traffic on the internet that tries to talk to it in a way it is not expecting. You don't want randos trying to connect to your computer through the internet and your router.

Unblocking or opening a port could be something like forwarding a port to a device on your network. Technically, this would involve finding a "Port Forwarding" setting on your router. Here, you would indicate any traffic with port 25565 (the default Minecraft server port) should be directed to your server at address 192.168.1.100. Now your doorman will always deliver every letter with "Minecraft" written on it to your Minecraft server. Be aware that even if you aren't the server software, every letter like that will continue to be directed to your server. If there is a security flaw in Minecraft, this could technically be something someone could exploit.

Similar to your router, Windows (the operating system) will also block/ignore traffic that it isn't expecting as a security precaution. Opening a port might mean creating a rule in your firewall setting to let traffic from certain ports into your computer. If Windows is ignoring any letters it doesn't recognize, my Minecraft letters still won't reach your Minecraft server even if it is clearly addressed to it. Windows may also be blocking traffic from leaving your computer if it does not have a firewall rule telling it otherwise so its possible the server got my letter, but Windows blocked the reply so I'm left hanging.

A VPN is a Virtual Private Network. This term can mean a few different scenarios but what they all have in common is that it creates a hole into your network, bypassing the router (maybe both routers). It is sometimes called a tunnel, which is a pretty good metaphor. Basically, you are running a virtual network cable through the internet from one computer or network to another. Through this virtual network, devices will be able to see and interact with each other as if they were on the same network.

Real life example. I manage a few servers where I work. If I need to log into those servers from home I cannot do this. It would be extremely dangerous to just let anyone on the internet have access to the server's login screen. So instead, I use a VPN. Now my home computer is virtually connected to my work's internal network - as if I'd brought my personal laptop into work and plugged it into the network jack next to my workstation in my office. I can use the same software I'd use at work to log into my servers without having those servers directly exposed to the internet. I am limited by my home internet speeds but it is otherwise almost identical.

Similarly, we could install VPN software on our two computers and I could then join your Minecraft server directly, bypassing your router, as if we were both on your home network.

Like I said, there are quite a few ways to do this and I've heard many of the ways referred to as either a VPN or a tunnel. More context could get you a better answer.

Generally, opening ports is a security risk. This is especially true when opening more common ports or ports that get a lot of use. More common, standard ports will be more likely to get attacked and ports that get a lot of use will be more likely to be targets of exploits. It really depends on your scenario. Imagine that, if someone wanted, they could likely figure out what port you've opened and what is listening for that port on your home network. They might try to brute force a password or take advantage of the software's security flaws.

Forwarding a randomly chosen port so a friend can join your Minecraft server? Not so risky. Opening port 22 so you can log into your home computer while you are away from home? Much riskier. Using an atypical port for remote access is still risky as, like I said, you have to assume that if someone really wanted to, they could figure out that remote access is running on port 17426 or whatever random number you may have chosen.

All these answers read like they're written for comp sci students rather than a general audience. Let me give an ELI5 (more like ELI12) a shot.

Ports are just numbers. They aren't physical pathways or doors or windows or anything like that. A better analogy is a street address, like an apartment number. Your IP address identifies your computer (apartment building), and the port identifies the program on the computer (the apartment). When a program needs to talk to the internet, which is very similar to sending a letter, it hands a packet/letter to your computer and your computer assigns the program a port number. It then puts that number on the return address of the letter so that the recipient knows where to send the response. The computer remembers that port number is associated with that program, so when it gets an incoming letter with that number, it gives it to the program. After the program is done talking to the internet, the computer frees the port up to be used by another program.

Ports are "closed" when there is no program associated with them. Any incoming letters are ignored because they have nowhere to go.

Ports are "open" when they're associated with a program. This happens automatically when programs send outgoing letters, or you can manually open (or "forward") ports by telling your computer/router what the port should be associated with and that it shouldn't use the port for something else.

ELI5 over.

The internet is networks on top of networks on top of networks, so your computer will have an IP and assign a port number, then your router will remember that and change the address on the letter to its own IP with a different port number, then that process repeats a few more times until eventually it reaches its destination. You don't have to deal much with your computer's internal network, but occasionally you have to deal with your router's by opening/forwarding a port because it has a NAT that has to deal with all of the devices on your network. Forwarding the port just tells your router to always send incoming letters with that port number to a specific device.

You have servers that provide some kind of resource or service, and clients that use those resources or services (will just say resource from now on).

Servers provide that resource using a port so clients will come ask for it using that port.

Sometimes servers can do multiple things, so they will provide multiple resources...maybe a web server hosting a web page is also an email server that can receive and send email too. They do those things using different ports to distinguish the kind of request it's getting.

On the client side, clients use source ports to distinguish which app asked for a resource. Think of your browser having 20 tabs open, each has it's own source port so your computer never gets confused which page goes to which tab.

I'm skipping a lot of things (ports flipping for replies, well known, etc), but that's the basics.

Imagine your computer is a big block of flats and your applications are all people who live in the building.

Mail sent to the building address alone isn't going to reach the intended recipient, because the postman doesn't know what flat to post it to. So they need additional information such as 'Flat 2C'

That's the basic concept of ports. It's basically additional addressing information to allow your computer to direct internet traffic to the correct applications.

When an application is actively listening on a port, it means that they are keeping an eye out for messages addressed to them, as designated by the port number. While an application is sending or receiving messages using a given port number, that port number is considered 'open'.

Now, all sorts of applications do all sorts of things. Some are for the public to use and there are some that are useful within trusted circles, but can be abused by malicious people if anyone in the world can send messages to it. Thus, we have a firewall, which acts as a gatekeeper. A firewall can 'block' a port, denying access to a given group of people, or 'unblock' it, allowing access.

VPNs are a totally different thing. They are literally middlemen for your internet traffic. Instead of directly posting a message to somewhere and receiving a direct reply back, imagine you flew out to Italy to use a post box there and receive replies from there.

Thats a lot of information to ask for so ill try to be very basic. A port is like a window with a guy on the other side. if you speak the same language as the guy you can have a conversation.

There are 65535 windows available. the open have guys available for conversations, the closed ones dont.

When you open a port on your computer you should have a program that "listens" at that port so that others can use it to have a conversation.

A vpn takes all of the conversations your computer wants to have and sends them to a port on a server and the program listening to that conversation sends your requests to their intended destination and then sends you the result. Its like using a middleman to have a conversation.

https://en.m.wikipedia.org/wiki/Port_(computer_networking)

Just think of your computer or server as a huge building with thousands of doors. Most are closed, but you purposely open a few to allow traffic in and/or out of. Those that are open are only open for a specific purpose and will only lead in or out of a specific place in the building.