Skip to main content
This guide explains how to tunnel an OpenVPN server through CGNAT using an ngrok TCP endpoint on port 443. It covers starting the endpoint, downloading your .ovpn profile, and updating it to use the ngrok TCP address and port. For a detailed community walkthrough, see Tunneling an OpenVPN server out from behind CGNAT.

What you’ll need

  • An OpenVPN server running behind CGNAT.
  • OpenVPN Connect installed.
  • ngrok installed.
  • Your ngrok authtoken.

1. Start a TCP endpoint on port 443

Open a TCP endpoint to port 443: 
ngrok tcp 443
TCP endpoints are only available on a free plan after adding a valid payment method to your account.

2. Download your OpenVPN profile

Open the TCP address shown in the ngrok agent output in your browser. Download the .ovpn profile you use with OpenVPN Connect.

3. Update the profile to use the ngrok port

Open the downloaded .ovpn file in a text editor. Update the profile to use the TCP address and port shown by ngrok instead of 443. Import the updated profile into OpenVPN Connect. You should be able to connect to your VPN as normal.