OPC UA uses TCP port 4840 by default. This single port carries everything OPC UA does — discovery, session establishment, reading tags, writing values, subscriptions, method calls, and historical data access.
Unlike OPC Classic (which used DCOM with dynamic port allocation and was a firewall nightmare), OPC UA uses one well-known port that works cleanly through NAT, proxies, and firewalls. One port rule and your OPC UA communication works.
This guide covers everything about the OPC UA port number — from the IANA registration to practical firewall rules you can copy and paste.
In This Guide
1. TCP Port 4840 — The Standard OPC UA Port
TCP port 4840 is the default and official port for OPC UA communication using the native opc.tcp binary protocol. It is defined in IEC 62541-6 (OPC UA Part 6: Mappings) and registered with IANA.
Every OPC UA server — whether it runs on a PLC, an edge gateway, an industrial PC, or a cloud instance — listens on TCP port 4840 by default. The OPC UA client initiates the TCP connection to this port.
On port 4840, OPC UA traffic can be:
- Unencrypted (security policy
None) — rarely recommended - Signed (security policy
Basic256Sha256withSign) — integrity only - Signed and encrypted (security policy
Basic256Sha256withSign & Encrypt) — full security
The important thing: encryption happens at the application layer on the same port 4840. There is no separate “secure port” like IEC 104 has with port 19998.
2. IANA Registration Details
| Field | Value |
|---|---|
| Service Name | opcua-tcp |
| Port Number | 4840 |
| Transport Protocol | TCP (also UDP for discovery) |
| Description | OPC UA TCP Protocol |
| Reference | IEC 62541-6 (OPC UA Mappings) |
| Assignment | IANA registered |
IANA also assigns port 4843 for OPC UA TLS over HTTPS, but most deployments use opc.tcp on port 4840 with application-layer security.
3. Why OPC UA Uses a Single Port
OPC Classic (DCOM-based) used dynamic port allocation — ports 135, 137–139, 445, and a random range from 1024–5000. Configuring a firewall for OPC Classic required opening dozens of ports and caused endless “Access Denied” errors.
OPC UA fixed this by design:
| Feature | OPC Classic | OPC UA |
|---|---|---|
| Ports used | 135 + dynamic range (1024–5000) | 4840 only |
| Firewall rules | Complex, multiple ports | One rule |
| NAT/proxy support | Problematic | Works cleanly |
| Platform support | Windows only | Windows, Linux, embedded, cloud |
| Internet-friendly | No (DCOM fails through firewalls) | Yes |
This single-port design is one of the main reasons OPC UA replaced OPC Classic in modern industrial systems.
4. How OPC UA Uses Port 4840
OPC UA is a client-server protocol:
| Role | Port Behavior |
|---|---|
| OPC UA Server (PLC, gateway, HMI) | Listens on TCP port 4840, waits for client connections |
| OPC UA Client (SCADA, MES, historian) | Connects from a random ephemeral port to the server’s port 4840 |
The server always listens. The client always initiates the connection.
5. OPC UA Connection Sequence
| Step | Direction | What Happens |
|---|---|---|
| 1 | Client → Server | TCP SYN to port 4840 |
| 2 | Server → Client | TCP SYN-ACK |
| 3 | Client → Server | TCP ACK — TCP connection established |
| 4 | Client → Server | Hello message — propose buffer sizes and protocol version |
| 5 | Server → Client | Acknowledge message — confirm parameters |
| 6 | Client → Server | OpenSecureChannel — exchange certificates (if security enabled) |
| 7 | Server → Client | OpenSecureChannel Response — secure channel established |
| 8 | Client → Server | CreateSession — start an OPC UA session |
| 9 | Server → Client | CreateSession Response — session ID assigned |
| 10 | Client → Server | ActivateSession — provide user credentials |
| 11 | Server → Client | ActivateSession Response — session active |
| 12 | Both | Read, Write, Browse, Subscribe — normal OPC UA services |
After step 11, the client can read tags, write values, browse the address space, and create subscriptions. All services travel over the same TCP connection on port 4840.
6. The OPC UA Endpoint URL Format
An OPC UA endpoint URL has this format:
opc.tcp://hostname:port/pathExamples:
| Endpoint URL | Meaning |
|---|---|
opc.tcp://192.168.1.10:4840 | Default port, no path |
opc.tcp://plc01.local:4840 | Using hostname instead of IP |
opc.tcp://192.168.1.10:48010 | Custom port (e.g., KEPServerEX uses 49320) |
opc.tcp://gateway:4840/UA/MyServer | Server path for multi-server gateways |
opc.tcp://192.168.1.10:4840/freeopcua/server | Common for open62541 and python-opcua servers |
When connecting from a client (UaExpert, SCADA, custom application), always use the full endpoint URL — not just IP and port.
7. OPC UA Discovery Server Port
The Local Discovery Server (LDS) is a special OPC UA server that maintains a registry of all OPC UA servers on a machine. It helps clients discover available servers without knowing each server’s IP and port in advance.
| Component | Port | Purpose |
|---|---|---|
| OPC UA Server | 4840 (default) | Hosts the actual data |
| Local Discovery Server (LDS) | 4840 | Lists all registered servers on the host |
| Global Discovery Server (GDS) | Configurable (often 4840 or 4843) | Lists servers across a network, manages certificates |
The LDS reserves port 4840 on Windows hosts. If you install multiple OPC UA servers on the same machine, they must use different ports (e.g., 48401, 48402) and register with the LDS on port 4840.
Clients connect to the LDS on port 4840 and call the FindServers service to get a list of all servers. They then connect to each server on its individual port.
8. Port 4840 vs DCOM (OPC Classic) Ports
| Feature | OPC UA (Port 4840) | OPC Classic (DCOM) |
|---|---|---|
| Default port | 4840 | 135 (endpoint mapper) |
| Dynamic ports | None | 1024–5000 (random) |
| Firewall complexity | Single rule | Multiple rules, complex NAT issues |
| Works through NAT | Yes | No (usually requires tunneling) |
| Works on Linux | Yes | No (Windows only) |
| Encryption | Built-in (application layer) | None (optional DCOM auth) |
| Authentication | X.509 certificates, username/password | Windows user accounts only |
| Internet use | Possible (with proper security) | Never recommended |
9. OPC UA Security on Port 4840
OPC UA security works on the same port 4840. Unlike other protocols that use separate ports for secured communication (IEC 104 → 19998, MMS → 3782), OPC UA negotiates security during the connection handshake.
Security Policies
When a client connects to port 4840, it selects one of these security policies:
| Security Policy | Signed | Encrypted | Use Case |
|---|---|---|---|
| None | No | No | Testing only (not recommended) |
| Basic256Sha256 + Sign | Yes | No | Integrity protection, not confidential |
| Basic256Sha256 + Sign & Encrypt | Yes | Yes | Full security (recommended) |
| Aes128_Sha256_RsaOaep | Yes | Yes | Modern, stronger key exchange |
| Aes256_Sha256_RsaPss | Yes | Yes | Strongest (OPC UA 1.04+) |
The server can be configured to reject unencrypted connections — forcing all clients to use security even on port 4840.
Certificate Exchange
During the OpenSecureChannel handshake (step 6 in the connection sequence), client and server exchange X.509 certificates. Both must trust each other’s certificate before the session is established.
10. Firewall Rules for OPC UA
Linux iptables
bash
# Allow OPC UA from SCADA client (192.168.1.10) to PLC (192.168.1.100)
iptables -A INPUT -p tcp -s 192.168.1.10 --dport 4840 -j ACCEPT
# Block all other OPC UA traffic
iptables -A INPUT -p tcp --dport 4840 -j DROPUbuntu UFW
bash
# Allow OPC UA
sudo ufw allow 4840/tcp
# Allow OPC UA only from a specific subnet
sudo ufw allow from 192.168.1.0/24 to any port 4840 proto tcpWindows Firewall (PowerShell)
powershell
# Allow inbound OPC UA from SCADA client
New-NetFirewallRule -DisplayName "OPC UA" -Direction Inbound -Protocol TCP -LocalPort 4840 -RemoteAddress 192.168.1.10 -Action Allow
# Block all other OPC UA traffic
New-NetFirewallRule -DisplayName "OPC UA Block" -Direction Inbound -Protocol TCP -LocalPort 4840 -Action BlockCisco IOS ACL
access-list 101 permit tcp host 192.168.1.10 host 192.168.1.100 eq 4840
access-list 101 deny tcp any host 192.168.1.100 eq 4840Key Rules
- Never expose port 4840 to the internet without VPN or strict IP restrictions
- Restrict access to known client IP addresses only
- Log all connection attempts for security monitoring
- Disable the “None” security policy on production servers
11. Wireshark Capture and Display Filters
Capture Filter (before starting capture)
tcp port 4840Display Filters
| Filter | What It Shows |
|---|---|
opcua | All OPC UA traffic |
tcp.port == 4840 | All traffic on port 4840 (including TCP handshake) |
tcp.dstport == 4840 | Traffic going to the server |
tcp.srcport == 4840 | Traffic coming from the server |
opcua.transport.type == 0x48454c46 | Hello messages (HELF) |
opcua.transport.type == 0x41434b46 | Acknowledge messages (ACKF) |
opcua.transport.type == 0x4f504e46 | OpenSecureChannel (OPNF) |
opcua.transport.type == 0x4d534746 | Normal Message (MSGF) |
Decoding OPC UA on a Non-Standard Port
Many OPC UA servers use custom ports (e.g., Kepware uses 49320, Siemens OPC UA sometimes uses 4841). Wireshark needs to know to decode them:
- Right-click a packet → Decode As → OPC UA
- Or Edit → Preferences → Protocols → OpcUa → add the custom port
12. Testing OPC UA Port Connectivity
Before configuring an OPC UA client, verify that port 4840 is reachable.
From the Client Machine
bash
# Test if server port 4840 is open
nc -zv 192.168.1.100 4840
# Or using telnet
telnet 192.168.1.100 4840
# Or using PowerShell
Test-NetConnection -ComputerName 192.168.1.100 -Port 4840On the Server
bash
# Linux — verify OPC UA is listening
ss -tlnp | grep 4840
# Expected output:
# LISTEN 0 128 0.0.0.0:4840 0.0.0.0:* users:(("opcua-server",pid=1234,fd=3))
# Windows
netstat -an | findstr :4840Using UaExpert (Free OPC UA Client)
The easiest way to test OPC UA connectivity:
- Download UaExpert from Unified Automation
- Click Add Server → enter
opc.tcp://192.168.1.100:4840 - UaExpert queries the server for endpoints
- If the connection works, you see a list of security policies and user authentication methods
- Accept the server certificate and connect
Common Results
| Result | Meaning | Fix |
|---|---|---|
| Connection succeeded, endpoints listed | Port is open and OPC UA server is running | OK |
| Connection refused | Port is not open — OPC UA service not running | Start the OPC UA server |
| Connection timed out | Firewall is blocking the port | Check firewall rules |
| Endpoint URL mismatch | Server returns different endpoint URL | Use the endpoint URL returned by the server, not the one you typed |
| BadSecurityChecksFailed | Certificate not trusted | Trust the server certificate on the client |
13. OPC UA over HTTPS and WebSockets
OPC UA also supports alternative transports for specific use cases:
| Transport | Port | URL Prefix | Use Case |
|---|---|---|---|
| OPC UA TCP | 4840 | opc.tcp:// | Default, best performance |
| OPC UA HTTPS | 443 (or custom) | https:// or opc.https:// | Cloud, web integration |
| OPC UA WebSockets | 443 (or custom) | opc.wss:// | Browser-based clients, firewall-restricted networks |
opc.tcp on port 4840 is by far the most common — used for PLC-to-SCADA, SCADA-to-historian, and most industrial communication. HTTPS and WebSockets are used mainly for cloud integration and web-based OPC UA clients.
14. Common Port-Related Problems and Fixes
| Problem | Symptom | Fix |
|---|---|---|
| Wrong port configured | Connection refused | Verify both client and server use port 4840 |
| Firewall blocking port 4840 | Connection timeout | Add firewall rule to allow TCP 4840 from the client IP |
| OPC UA server not enabled on PLC | Connection refused | Enable OPC UA in the PLC configuration (TIA Portal, Studio 5000, etc.) |
| Endpoint URL mismatch | “BadEndpointUrlInvalid” error | Use the exact endpoint URL returned by the server. Some PLCs return a hostname that does not resolve — reconfigure the PLC’s endpoint URL. |
| Certificate not trusted | “BadSecurityChecksFailed” error | Move the server’s certificate to the client’s trusted folder (and vice versa) |
| Wrong security policy | “BadSecurityPolicyRejected” | Client and server must support the same security policy. Try Basic256Sha256 + Sign & Encrypt. |
| Multiple servers on same host | Port 4840 already in use | Configure each server to use a different port (48401, 48402). Register them with the Local Discovery Server on port 4840. |
| NAT breaking OPC UA | Intermittent disconnects | Avoid NAT. Use direct routing or VPN. OPC UA handles NAT better than DCOM, but large messages can still fail. |
| Hostname not resolving | Connection fails intermittently | Use IP address in the endpoint URL, or fix DNS resolution |
| Port 4840 exposed to internet | Brute force attempts, unauthorized access | Block external access. Use VPN for remote OPC UA access. |
15. Security Best Practices for OPC UA Port 4840
Do
- Use
Basic256Sha256with Sign & Encrypt as the minimum security policy - Disable the “None” security policy on production servers
- Restrict port 4840 access to specific client IP addresses
- Use X.509 certificates with proper CA-based certificate management
- Use strong user authentication — username/password or certificate-based
- Place OPC UA servers behind a firewall on a dedicated OT VLAN
- Log all OPC UA connections and failed authentication attempts
- Keep OPC UA software updated — vulnerabilities are patched regularly
Do Not
- Expose port 4840 to the internet without a VPN
- Use the “None” security policy in production
- Use self-signed certificates without a proper trust management process
- Allow anonymous user authentication on writable servers
- Trust unknown certificates automatically
- Run OPC UA servers with default credentials (some vendors ship with default user accounts)
For Industrial/OT Environments
- Place OPC UA servers in a dedicated OT network zone (per IEC 62443)
- Use OPC UA Global Discovery Server (GDS) for centralized certificate management at scale
- Monitor OPC UA traffic with OT-aware IDS/IPS (Claroty, Nozomi, Dragos)
- Use reverse proxy or OPC UA gateway in a DMZ for IT/OT integration — never direct access
- Follow IEC 62541-2 (OPC UA Security) guidelines
Summary
OPC UA uses TCP port 4840 for all communication — discovery, session setup, data access, subscriptions, and method calls.
The key things to remember:
- Port 4840 is IANA registered for OPC UA TCP (
opc.tcp) - One port handles everything — unlike OPC Classic which used dynamic DCOM ports
- The server listens on port 4840. The client connects to port 4840.
- Security is negotiated on the same port — no separate secure port needed
- Use
opc.tcp://hostname:4840as the endpoint URL format - The Local Discovery Server reserves port 4840 — multiple servers on one host must use different ports (48401, 48402) and register with the LDS
- Never expose port 4840 to the internet without VPN or strict IP restrictions
- Use UaExpert (free) to test OPC UA port connectivity and endpoint configuration
For OPC UA security details, see: OPC UA Security: How It Works and Best Practices
For connecting PLCs to OPC UA, see: How to Connect a PLC to OPC UA
For Wireshark analysis, see: Wireshark for OPC UA: How to Capture and Decode Client/Server Traffic