IP is like an address to a big skyscraper where a company operates. You are the delivery man and must go to 201.154.76.19 and deliver something. When you get at the reception, you tell them you have a package to deliver to Mrs HTTPS, at room (port) 443. Since Mrs HTTPS is well known and has cleared your entry before, you’re allowed to enter this room and only this room.

If you were to get at the same address and try to access other rooms you would either get refused because they are closed, or if open, someone would specifically need to be in the room so you can deliver something

Malicious actors that wanted access to the building could try to disguise their deliveries and enter the building, that’s why the default policy of most firewalls is “reject” and you specifically need to open a port and have a program listening to it if you want incoming connections.

A “port” is just a number that gets assigned to network messages to differentiate targets within the same IP address.

One program is “listening on port 1”, which means it has told the operating system “anything labeled port 1, send it to me”.

It’s sort of like saying “attention: Joe” versus “attention: Sue” on an address. Same address, same building, but that “attention” line means to put it on Joe’s desk inside the building.

Except instead of “attention: Joe”, it’s just “attention: 22”. A numerical code that represents a “mailbox” inside the computer.

When you have a bunch of computers networked, each of them is assigned a unique number, so when other computers send data on the wire, they can say who it is meant for (imagine each blurb of data starting out like: “yo, I’m sending these next 500 bytes for computer 0A123FBC32, here they come”).

Now the right computer will listen, but it doesn’t know what program the data is for - is it a chunk of a file your browser is downloading? Or the email your email app wants to display? Or perhaps a join request from your buddy’s computer for the Minecraft game you’re hosting?

So in addition to the unique number of the target computer, the data also specifies a “port number”, which tells the computer which of its running programs the data is meant for (programs ask the computer’s operating system: “if any network data arrives on port XY, give it to me”). Some ports have become standards - for example, a program that serves web pages to other computers would typically ask the operating system that any data arriving on the computer that indicates port numbers 80 and 443 should be given to it, and when a web browser wants to fetch a web page, it will send a request to the computer serving the page, defaulting to port 80 o 443.

If you dig deeper, you’ll find that there are even more unique numbers involved and routers/firewalls let data through not only by port number but also by distinguishing between data that is the initial request to another computer’s port number and data that is an answer to an earlier seen request – and more.

Just think of your computer or server as a huge building with thousands of doors. Most are closed, but you purposely open a few to allow traffic in and/or out of. Those that are open are only open for a specific purpose and will only lead in or out of a specific place in the building.

Thats a lot of information to ask for so ill try to be very basic. A port is like a window with a guy on the other side. if you speak the same language as the guy you can have a conversation.

There are 65535 windows available. the open have guys available for conversations, the closed ones dont.

When you open a port on your computer you should have a program that “listens” at that port so that others can use it to have a conversation.

A vpn takes all of the conversations your computer wants to have and sends them to a port on a server and the program listening to that conversation sends your requests to their intended destination and then sends you the result. Its like using a middleman to have a conversation.

Let’s say you want to talk to your friend. You have several protocols, Phone, Mail, Email, SMS, or maybe something stranger, like smoke signals or memes. Each protocol needs a different port.

Your friend doesn’t answer phone calls or check VMs. The ‘port’ for phone calls is blocked. Nothing gets in through here.

Your friend only accepts email from certain addresses, like protonmail. This port is filtered. Only known things get in through here.

Your friend accepts any texts if they begin with the secret pass phrase. This port is open and filtered. Few unknown things get in through here.

Your friend accepts all postage. This port is open. Anything can get in through here. HTTP or HTTPS, your browser.

The VPN is sort of like an opaque tunnel you run from your house alongside public roads to some place you feel safe exiting, And then the usual steps in communicating. All of the communication has to go through the exit point back to the house.

If this kind of thing interests you, have a basic book for free. https://open.umn.edu/opentextbooks/textbooks/353

deleted by creator

A port is basically what it sounds like, a hole in your network to allow traffic to get to your pc

When you forward a port you send all traffic trying to get into that port to the computer you configure it to forward to. I believe forwarding and opening are synonymous, I’m sure someone will correct me if I’m wrong

There are two protocols for transmitting data you can open/close individually, TCP and UDP. Depends on the application, some want one, some want the other, some can use either or some want both

Opening ports allows anyone with your IP address to get at your computer, which means they have a chance to exploit any vulnerabilities there might be in your os, networking stack, software etc, so generally it’s a good idea not to leave them open unless absolutely necessary

Personally I use tailscale to get around having to open ports, makes it as if they’re all on the same network

Think of the Internet as being able to send opened letters with a destination address and return address. Anyone that handles the letter to help deliver it can see what it says, who’s sending it, and where it’s going.

A VPN is like asking a company to help you transmit the letter with more privacy. The VPN creates a secret code between you and the VPN, so that only you two understand what is in the letter. Then, the VPN communicates with whomever while not sharing your identity so that no one knows who you are unless you specifically tell them in the letter.

Say you want to know what the symptoms you’re experiencing after a sexual encounter are, but you’re embarrassed and don’t want anyone to suspect anything in case it’s nothing. You tell your VPN you want to send a letter to the medical info center. The VPN tells you to use a code that was created automatically so that no one knows what it means besides you and their code machine, and was sent to you earlier when you signed up for their service or at a regular update. “Use code 5 we sent you last week.” You write the letter and address in code 5, then address it in normal language to the VPN, sending it via the mail system. The VPN machine translates the code to normal language but changes the return address to its own address. The medical info center receives a letter saying that the VPN wants to know the info you requested, so they respond. The VPN receives the info, translates it back to code 5, and sends the info to you.

As far as everyone in the mail system is concerned, you sent and received info from the VPN, but only you know what it was because the mail system couldn’t understand it, and the VPN handled it through an automated machine. The medical mail system and medical info center then knows what the letter said, but thinks the VPN requested that info, so they don’t know it was you. Since the VPN handles tons of mail, no one knows who is requesting what specific info through the VPN.

Note: This assumes the VPN doesn’t keep logs. Some VPNs might actually track what you send, so they could keep track of your messages. That’s why people that value privacy recommend to use VPNs that don’t keep logs.

The short answer is, when your computer sends a message over the network, the IP address specifies which computer should receive the message, and the port specifies which program should receive the message.

Maybe think of it like one of those big walls of post office mailboxes…behind the wall is your computer and an app might be waiting for a message at box 22 or box 45678. You could close all the boxes and nothing could get in, or you could open one or all of them and allow people to deliver messages to them.

If you connect your computer directly to the internet, anyone who knows your IP address could say 'deliver message X to port 22 at ip address <your ip address> and the program watching that box would get the message.

If you put a router in the mix, and multiple computers, the router has the same block of boxes, but if someone sends a message to one of the boxes it just sets there. If you set up ‘forwarding’, sending a message to your ip address gets the message to the router, but if you forward box 22 from your router to a specific computer on your network, then the router takes a message at box 22 on itself and ‘forwards’ it to box 22 on whatever computer you specific (using internal ip addresses).

You could map box 22 on your router to any other box on your computer…like port 22 coming into your router might get sent to port 155 on your computer…this is useful if you don’t want external people just exploring and lazily breaking into your computer using known vulnerabilities. Lots of ports are ‘common’, so an ftp hack on port 22 is easy, and might be ‘slightly’ harder if you tell your computer to actually look for ftp traffic on port 3333 or something.

The port is used by the destination computer to decide what program should process the request.

Any program on your computer that needs to be open to being contacted by another computer over the network needs to be assigned to a port. When the remote computer wants to contact that program, the IP address is used by intermediate networking computers to forward the message, and the port is used by your computer to pass the message to the right program. Blocking a port will prevent the program assigned to it from being contacted by other computers.

Some ports are traditionally assigned to some common programs. When you go to a website via http in a browser, it uses port 80 if you don’t specify. If you use https, it uses port 443. SSH uses port 22 by default. You can host an ssh server or http website on a different port, those are just the common conventions. If an http website is hosted on a port other than 80, the user will need to specify the port number in the browser as part of the url.

VPNs are usually not so much about ports, more about IP addresses. When your computer wants to contact another computer, it normally sends the request to the router, and that router forwards that request either to another computer on LAN or to the ISP, and that ISP forwards the request and so on… based on the IP address. If you are using a VPN, that VPN will override certain IP addresses. When a message would be sent to one of those IP addresses, instead it gets packaged and sent to the IP address specified in the VPN config, and the computer on the other side of the VPN decides where to send the message from there. The router sends the packages message to the VPN computer, but doesn’t get to know what the IP of the packaged message is (by packaged I mean encrypted, and with some metadata).

Where VPNs and Ports end up being relevant is probably in relation to port forwarding. Normally your computer can make requests to the internet, but can’t be contacted by the internet. This is because your entire LAN shares a public (WAN) IP address, and the router is the device that receives all messages to that IP address. Normally the router discards such incoming messages, but if you set up port forwarding, the router will forward messages for a certain port to a certain computer on the LAN.

A VPN can allow your computer to receive incoming requests without opening a port on the router. When a request meeting requirements specified in the VPN config is received by the computer on one side of the VPN, it will be forwarded to the computer on the other side of the VPN. For a public VPN (the kind you would pay for that are typically advertised as a privacy tool or a way to get around Netflix geofencing), you can sometimes configure port forwarding, meaning any request sent to that port on the VPN’s server will get forwarded to your computer connecting to the VPN (typically to the same port, so what happens to that request is up to you to configure a program to be assigned to that port).

The other way a VPN can be used for that kind of contact is when it maps all requests to any port on a set of IP addresses. This is typically how office VPNs are configured, as it lets a remote user access things on the office network as if that user was in the office.

Note that a VPN is itself a pair of programs communicating with each other like any other program, so typically setting up a VPN requires one of the computers to be exposed to the internet (or at least have ports set up for that). For a public paid VPN the VPN’s servers will be exposed to the internet, and for a corporate VPN the corporate servers will be closed, such that the client doesn’t have to.

Some common VPN software (e.g. WireGuard) is free and open source and can be configured in a lot of different ways! These two common use cases are just the most common ways to configure VPNs, but if you have some creative use case, there’s a lot you could do with it.

“porte” in French means a door.

Imagine each port is a door, all neatly aligned… some of them can be opened and lead to something… (a service)

All these answers read like they’re written for comp sci students rather than a general audience. Let me give an ELI5 (more like ELI12) a shot.

Ports are just numbers. They aren’t physical pathways or doors or windows or anything like that. A better analogy is a street address, like an apartment number. Your IP address identifies your computer (apartment building), and the port identifies the program on the computer (the apartment). When a program needs to talk to the internet, which is very similar to sending a letter, it hands a packet/letter to your computer and your computer assigns the program a port number. It then puts that number on the return address of the letter so that the recipient knows where to send the response. The computer remembers that port number is associated with that program, so when it gets an incoming letter with that number, it gives it to the program. After the program is done talking to the internet, the computer frees the port up to be used by another program.

Ports are “closed” when there is no program associated with them. Any incoming letters are ignored because they have nowhere to go.

Ports are “open” when they’re associated with a program. This happens automatically when programs send outgoing letters, or you can manually open (or “forward”) ports by telling your computer/router what the port should be associated with and that it shouldn’t use the port for something else.

ELI5 over.

The internet is networks on top of networks on top of networks, so your computer will have an IP and assign a port number, then your router will remember that and change the address on the letter to its own IP with a different port number, then that process repeats a few more times until eventually it reaches its destination. You don’t have to deal much with your computer’s internal network, but occasionally you have to deal with your router’s by opening/forwarding a port because it has a NAT that has to deal with all of the devices on your network. Forwarding the port just tells your router to always send incoming letters with that port number to a specific device.

https://en.m.wikipedia.org/wiki/Port_(computer_networking)