What is port forwarding and how safe is it?

Port forwarding lets someone on the internet connect to a specific device or app on your home network. Think of it as opening a clearly marked door to something running on your computer, like a Minecraft server, security camera, remote desktop tool, or small website. It can be very useful, but it also needs care. If the wrong port is open or the service is not secure, others could try to access your device.

In this guide, I’ll explain what port forwarding is, how it works, when you might need it, what risks to watch for, and how to fix common setup issues.

How to use port forwarding safely

1. Use strong passwords and latest security updates
2. Take necessary computer security precautions
3. Make sure your security firewall is on
4. Use a secure VPN connection – I recommend ExpressVPN

How does port forwarding work?

Ports are how computers distinguish between multiple services listening on one computer. Using ports lets a device run a myriad of different processes and services. Each service has its own port – for example, email servers usually use port 587 while websites use port 80.

In total, there are more than 65,000 different ports, but only about 1,000 are used regularly. The others can be used by the apps of your choice, which often requires port forwarding – the process of routing incoming traffic from a specific port to a specific device on your network.

To fully understand it, you should also know that, thanks to NAT (network address translation), all the internal devices share the same external IP address.

So, let’s use a little allegory to explain how port forwarding works. You can think of ports as doors to a house: your computer is at 1234 Daisy Lane, and it has about 65,000 doors. If port 22, used for the SSH remote access protocol, is listening, imagine that door 22 on 1234 Daisy Lane is unlocked.

The trouble with NAT is that it provides different addresses internally and externally. To continue the house analogy, imagine that the outside world could only send visitors to Daisy Lane, not specific houses within the neighborhood. If a visitor asks for door 22 on Daisy Lane, the gatekeeper (representing NAT on the router) won’t know which house to send them to.

This is where port forwarding comes in. When you set a few router (or other default gateway) settings, it will be able to send inbound connections to the right computer within the network.

Types of port forwarding

There are several types of port forwarding, with each of them serving different purposes. Local and remote port forwarding uses the TCP port 22 or SSH tunneling:

• Local port forwarding. This type of port forwarding is used when you want to use your LAN device to get data from a destination that you don’t have access to, but a device in the middle, or an intermediate, has. This allows for data to be pulled from the remote destination to your local device.
• Remote port forwarding. This type of port forwarding allows your device to be visible to other remote devices or on the internet. In this case, data is being pushed from your device to the remote destination server and then back to the source port and to your device. With remote forwarding, anyone on the internet or a remote device can get access to your device.
• Dynamic port forwarding. Dynamic port forwarding is virtually an extension of local port forwarding. The difference is that any program from your LAN device can use the SSH tunnel and access any remote destination port by using only one port on your side. Dynamic port forwarding works by creating a proxy of sorts.

What is port forwarding used for?

From the sound of it, port forwarding might seem like it’s in the purview of IT professionals and programmers. While those kinds of people are certainly heavy users of port forwarding, it’s useful for a far wider range of the computer-using population.

Here are some of the most common uses for port forwarding:

• Hosting game servers for multiplayer gaming accessible from outside your home network.
• Running remote desktop protocols for accessing your computer remotely.
• Permitting file transfers from your computer to the outside world or external networks.
• Running a publicly accessible website from your home computer.
• Using torrent applications to quickly download files.
• Hosting your own VPN server that allows you to access your home network from afar.

While many of these tasks can be accomplished without the help of port forwarding, it’s often the easiest solution.

Is port forwarding safe?

Port forwarding inherently gives people outside of your network more access to your computer. Giving access or accessing unsafe ports can be risky, as threat actors and other people with malicious intent can then easily get full control of your device.

Can you get hacked through port forwarding? Yes. If you take security precautions, such as using a firewall or a VPN for the port forwarding process, is it likely? Not really.

More than anything, responsibly using port forwarding requires care and diligence. The following general tips will make sure that you stay safe:

• Use strong passwords. If you’re running a remote access connection, your computer is only as secure as the password you set. Malicious hackers try multiple passwords every second on every machine connected directly to the internet. If possible, eliminate this weakness altogether by using key-based authentication (supported by some protocols like SSH tunnels).
• Update your devices quickly. Vulnerabilities are constantly discovered and fixed in operating systems and other software. If you put off updating your computer, there might be a bug that a malicious hacker can use to defeat your security and gain access to your computer.
• Don’t expose more than you need. Once you learn how to use port forwarding, you might want to use it with all sorts of devices and services. This is a bad idea. As you expose more surface, the odds of a successful cyberattack against your computer increase.
• Disable port forwards you no longer use. Every open port acts as an exposed entry point for bots and malicious hackers on the internet to exploit. When you disable unused port forwards, you instantly shrink your attack surface, which keeps your network safer.

Dangers of port forwarding

Even though using port forwarding with a VPN greatly reduces the risk of getting hacked, you should still be aware of the possible dangers. Let’s look at some more specific hypothetical scenarios where port forwarding can be risky:

1. You port forward access to a video game. For convenience, you don’t set a password, thinking that malicious hackers will never guess your IP address. Your friends can join your game with ease, but so can bad actors.

• Just like how malicious hackers test passwords to internet-accessible services multiple times per second, they also automatically attack open protocols like games on every internet-connected device.
• Set a strong password and keep your device updated to prevent this issue.

2. You secure your game with a password but don’t update the game or device. A security issue is discovered in the game, allowing anyone who exploits the bug to hack your computer.

• Apply security updates in a timely manner to avoid this problem.

3. You forward a port to use a torrenting application. Even though you think you’re using an anonymizing solution like a VPN, data is accidentally uploaded through your real IP address. If you’re downloading copyrighted material, you could be in trouble.

• Always verify that your software is configured correctly. Don’t assume that your traffic is anonymous just because you use a VPN or Tor.

How to open ports on a router

Because port forwarding involves changing settings on your router, the exact process will depend on your router model. However, the process usually takes the same form regardless of who made your router.

In this guide, I’ll use screenshots from a common TP-Link router.

Step 1. Find your router’s configuration page

Every router makes its settings accessible through some kind of a configuration interface. For most routers, you can change settings with a website accessed through a special IP address.

Internal networks use IP addresses that follow the form of 10.X.X.X or 192.168.X.X. The 172.16.X.X subnet is less common but also possible.

Your router’s configuration page will likely be at the first IP address in its range. To figure out what this address is, first look in your computer’s networking settings to figure out what IP prefix you use. Depending on your computer’s operating system, this setting will be in a different place.

Next, go to your router’s IP address in a web browser. On the TP-Link router used in these examples, you’ll be greeted by a login page.

If you see something similar, congratulations! You successfully found your configuration page.

Step 2. Log in

Now that you’re at the login page, you might not remember your username and password. If you don’t remember setting one in the first place, it’s probably still set to the default. You can find it printed on a sticker on your router device.

Step 3. Find the port forwarding option

On my router, Port Forwarding is hidden in the Advanced menu. If you can’t find it, continue looking through the menus.

In the case of some routers, you might not be able to change port forwarding settings directly from the router’s configuration page. Follow its instructions and visit the settings website it directs you to.

Step 4. Add the port forward

Now that you’ve found the option, it’s time to add the port forward.

This screen appears similar on nearly every router. First, select a device or IP address to use as the destination. This is the device that runs the software you want to forward.

Next, choose a common service to forward or manually input a port. Most ports for common services are easy to find today, so all you have to do is look up the port number for your specific application.

If you want to forward an entire range of ports or add multiple ports to the forwarding list, you can do this here.

Step 5. Test out your program

To adequately test whether your port forwarding was successful, you’ll need to use a device outside your local network. Follow the instructions listed later in this article to test out your port forward.

We’ll look at common problems and solutions in more detail later on.

How to open ports on a VPN

Many VPN services allow you to open ports on the VPN's endpoint IP address rather than your computer's actual IP address. While this method protects your privacy by hiding your home IP address, it doesn’t eliminate the security risks that come with port forwarding.

Because the VPN simply passes incoming traffic through the encrypted tunnel directly to your device, any malicious traffic or malware sent to that open VPN port will still reach your computer. So VPN port forwarding is a tool for privacy and bypassing network restrictions, not a security shield against cyberattacks.

Compared to forwarding ports on a hardware router, doing the same on a VPN is relatively simple. However, not every VPN provider supports port forwarding, so do your research before purchasing a VPN. Also, since the process of forwarding ports differs for every VPN provider, look for specific instructions on its website.

Common problems with port forwarding

While port forwarding works most of the time, it can fail on occasion. Whether the root issue is user error or something with the software, port forwarding issues can be difficult to diagnose.

Here are a few of the most common issues that can occur with port forwarding:

• “Connection refused” errors as if you are not using port forwarding at all.
• Constant invalid password warnings from remote desktop software.

How to test port forwarding

Before you can figure out the cause of any issues, it’s important to have a reliable testing process. To effectively test a port forwarding setup from the comfort of your home, you’ll need the following hardware and software:

• A desktop or laptop computer used to host the application being port-forwarded.
• An additional computer to use as a client. This computer must have the client software installed for the application you’re testing.
• A smartphone with tethering or a secondary internet connection.

Using Minecraft as an example, here’s how to test that your port forwarding worked:

1. From the server machine, start the Minecraft server and verify that it is running on the port you selected.
2. Connect the client machine to your smartphone or secondary internet connection. This connection must have a different external IP address.
3. Open the Minecraft game on your client machine and connect to the first computer’s external IP and port.
4. Verify that the connection works and the game loads. Don’t worry about speed; if you’re using cellular internet on the client, it won’t be fast even if you did everything correctly.

You can also check your port by using this online open port testing tool.

Troubleshooting connection refused errors

If you continue to see connection refusals, here are some troubleshooting ideas:

• Make sure that you’re connecting to the right IP address. Find your external IP address from the device you want to connect to and use that.
• Try forwarding a different port. Some services, like VNC, use entire ranges of ports, so you might need to forward multiple.
• Change your firewall settings. If the computer you’re using as a server has a firewall, you might need to allow external connections to the port in question.
• Check that you don’t have a double NAT issue. If you have both an ISP router and your own personal router, you’ll have two firewalls blocking traffic. To fix it, either forward the port on both devices or log in to the ISP router and put it into "bridge mode."

Does port forwarding slow down the internet?

Connection slowness can be more challenging to fix. That said, it’s important to note that port forwarding itself has nothing to do with your internet speed.

If you’re running a high-bandwidth game using port forwarding, it might slow down your connection. However, this isn’t the fault of the port forwarding setup.

Fixing invalid password warnings

Many kinds of remote desktop software will warn you if someone attempts to log in with an invalid password. Since anything connected to the public internet will receive dozens of hack attempts per minute, you might see a lot of these.

One easy, effective way to decrease the number of invalid login attempts on your computer is to move to a non-standard port. While this approach doesn’t actually increase your security, it does provide some basic obscurity.

From your router’s control panel, change the external port to a high number (below 65,535). If the port is not commonly used for other applications, you should see fewer connection attempts.

Don’t rely on this approach to make up for a bad password, but certainly use it if you suffer from excessive invalid connection attempts.

Port triggering vs port forwarding: what’s the difference?

Port triggering serves many of the same functions as port forwarding, but it works in a different way. Instead of always forwarding a particular port to a certain machine, port triggering works dynamically.

Here’s effectively how port triggering works:

• A computer on the internal network connects to an external server on a certain port.
• The router sees this connection and triggers a port forwarding rule to the internal computer.
• Afterward, traffic that matches the forwarding rule is forwarded to the internal computer for a period of time.

Example of port forwarding

It is one thing to know how things work in theory and another thing to have a real-life example. So, let’s say you want to set up a public Minecraft server for you and your friends.

Setting up a Minecraft server doesn't require any coding – you just need to download a .jar or .exe file, run it, and edit a simple text file. The most important thing to know is that this Minecraft server is local. This means that it can only be accessed from devices that are connected to your LAN or share the same external IP address. If you want to play on your server with your friends, they won’t be able to access it unless they come to your home and connect to your internet.

You need to open your server to incoming connections from remote devices, and this is where port forwarding comes into play. In your router configuration, you need to enter the standard Minecraft server port number, which is 25565. That way, your router will know to forward incoming connections from your friends’ devices to your Minecraft server.

If you want to try setting up a Minecraft server yourself, check out the official guide.

Bottom line

Port forwarding allows you to open up a specific service on your computer to receive inbound traffic from the internet. From video games to remote desktop, it’s a very useful tool. Port forwarding comes with some security considerations, but they can generally be overcome.

---

Thinking of trying out a VPN service? Read one of our VPN guides or reviews

---

FAQ