VPN and getting router/firwall configuration correct

3

1

For the life of me can not get my VPN working using PPTP or L2TP or anything.

My subnet is set to 192.168.13.1 to avoid conflicts.

I have tried to reach my desktop/server from my laptop/client using both from mobile phone WIFI and at a friends cabled internet. Both unsuccessful.

I am trying to use the built-in VPN functionality in Win7 (my desktop/server) and Win8.1 (my laptop/client) - both use Windows Firewall.

I have router TP-Link TL-R860. DSL modem is Efficient Networks Speedstream 5100.

I have set my desktop/server to always be the same IP address (useful for port forwarding)

Since I have been told I can not trust WIFI over mobile, I need to go to my friends each time testing a setup. This means I need to avoid any chance of me misconfiguring any ports... At this point I just want some kind of VPN working which is why I try open up for it all. In the end, I would probably like to use L2TP/IPSec.

Here is my current understanding of what I need to setup:

--router forward settings to my desktop/server computer--

Ports I am quite sure of:

  • 1723 TCP (PPTP)
  • 1701 UDP (L2TP)
  • 500 UDP (IPSec using IKE/IKEv2, e.g. used by L2TP)
  • 4500 UDP (IKE/IKEv2 and NAT-T)

My router does not support selecting "IP Protocol" - what to do?:

  • 47 IP Protocol (GRE for PPTP)
  • 50 IP Protocol (ESP for IPSec)

Ports to forward if using OpenVPN which I am not:

  • 443 TCP (OpenVPN-TCP)
  • 54 UDP (OpenVPN-UDP)

--router firewall settings--

  • off (I essentionally only have on/off here. I think on should work, but...)

--desktop/server computer inbound firewall rules--

  • 1701 UDP
  • 1723 TCP
  • 4500 UDP
  • 500 UDP

(are all these necessary?)

--desktop/server computer outbound firewall rules--

  • 1701 UDP
  • 1723 TCP
  • 4500 UDP
  • 500 UDP

(are all these necessary?)

--laptop/client computer inbound firewall rules--

  • 1701 UDP
  • 1723 TCP
  • 4500 UDP
  • 500 UDP

(are all these necessary?)

--laptop/client computer outbound firewall rules--

  • 1701 UDP
  • 1723 TCP
  • 4500 UDP
  • 500 UDP

(are all these necessary?)

In preparing for a new test, I need to understand what configurations (e.g. ports) I should open in firewalls, forward in router etc. to maximize the chance of something to work. In particular I have doubts about how to handle e.g. GRE?

--Results from running PFPortChecker--

  • 1701/UDP: port is open
  • 1723/TCP: port is open (required shutting down VMware services)

I found that IKEExt / "IKE and Auth and IPsec Keying Modules" service (svchost.exe) blocks the following ports. (I guess that is okay if Windows VPN uses tthis service)

If I let the IKEExt service running I got:

  • 4500/udp: some other application locked port
  • 500/udp: some other application locked port

If I shutdown the IKEExt service I got:

  • 4500/udp: port not open or reachable
  • 500/udp: port not open or reachable

For reference: I used netstat -anobv command to find out which porcesses/services blocked ports

Tom

Posted 2014-05-28T10:34:45.460

Reputation: 347

Answers

3

  1. You need to make sure you set your Windows 7 machine to have a reserved address on your router (so that it is always given the same LAN IP address).
  2. Set the port forwarding rule for the PPTP port (1723) to point to your Windows machine IP (the reserved one).
  3. If your router blocks VPN passthrough then you will need to check this (in the UK, VirginMedia's SuperHub blocks VPN passthrough and this catches people out) and enable it.
  4. Windows 7 has built-in "VPN server" capability
  5. HowToGeek have written a detailed "how-to" to configure Windows to be a VPN server - this works for both Windows 7 and Windows 8. There link is here

Kinnectus

Posted 2014-05-28T10:34:45.460

Reputation: 9 411

1+2) already done, 3) as far as I know, it does not block, 4+5) exactly what I already tried :( – Tom – 2014-05-28T11:52:53.813

What errors do you get when trying to connect? – Kinnectus – 2014-05-28T11:55:56.643

connecting from my friends Win8.1: Default=800, PPTP=807, L2TP=809 – Tom – 2014-05-28T11:58:39.530

Have you manually edited the client VPN connection settings so that "automatic" VPN type is set to "PPTP"? – Kinnectus – 2014-05-28T12:01:06.810

Yes, I explicitly tried that as well :( – Tom – 2014-05-28T12:07:08.563

Although not always required, can you check that your router is allowing and forwarding GRE protocol port 47 I think – Kinnectus – 2014-05-28T13:33:51.800

I am not sure how to check that. However, I can not explcitly allow GRE protocol in router setup (I can only forward All/TCP/UDP) - not sure how to best test if GRE is allowed/forwarded? – Tom – 2014-05-28T23:41:13.787

Out of curiosity, have you configured your MODEM to forward all traffic to your TP link router? I've just read the manual and it has an RJ45 WAN connection which implies your Internet is either directly provided by Ethernet or you've got a cable/dsl modem plugged into the wall (this may also gave an in-built router function that needs disabling) – Kinnectus – 2014-05-29T07:04:52.183

That is correct. Internet comes from a dsl modem from my ISP (router is my own.) I will try contact them. (I still have not found anything about GRE and my router, so not sure if I need to allow anything there and how.) – Tom – 2014-05-29T08:14:16.103

Right, so it's DSL (telephone line Internet). Ypu shouldn't need to contact your ISP. Does your modem have any "router" capability? If so, this may be the root cause of your problems. If you set the modem's "router" portion to disabled it should then turn it into just a modem with oneof the ethernet sockets being the "LAN" connection (I.e. What you plug into your TPLINK WAN connection) you need to direct all traffic from your modem to your router. I have a feeling it is not at the moment allowing incoming connections or forwarding incoming trafgic to your router – Kinnectus – 2014-05-29T09:07:38.530

It should be a pure modem, but I am going to run an in-depth port scan tester to see what gets through and what does not - to eliminate the modem (supplied by the ISP) and ISP as being the cause. I am planning on using this program for it unless someone can recommend better: http://portforward.com/help/portcheck.htm

– Tom – 2014-05-30T15:25:48.797

Do you have a make and model of the modem? – Kinnectus – 2014-05-30T15:42:50.340

Efficient Networks Speedstream 5100 (no specification if model a or b) - it only has power, ethernet (goes to router), dsl-in – Tom – 2014-05-31T10:37:18.520

I now added results from my port scans to the question under section: Results from running PFPortChecker If results look alright to you? I may soon be ready to run another test. (I assume I should let tthe IKE service run.) I am a bit curious if anyone has experience with the firewall configuration although I for now will probably just allow all inbound/outbound on both server/client. – Tom – 2014-05-31T11:48:21.783

On your modem is there a "bridge" mode? – Kinnectus – 2014-05-31T12:43:10.863

Not that I can see. Bu I believe all configuration is done remotely by the ISP when it comes to the modem, so if there is some internal setings that can be configured, I do not know since I do not hav access to the configuration. – Tom – 2014-06-02T11:36:40.530

Update: ISP will be sending a new DSL modem. However, I am still extremely interested in knowing if the rest of my setup is correct and which of the firewall rules are necessary? – Tom – 2014-06-04T12:29:03.000

1In case of network doubt, you can always install & fire up Wireshark to do network analysis of what comes in/out of your PCs. You'll know which ports are trying to get out at one end and be able to see if you receive something at the other end – Remi Letourneau – 2014-06-07T01:32:42.310

I will try that next. Awarded bounty to this answer even if my problem is still unresolved. (However, ISP will send a combined new router/modem which should also allow full configuration + support VPN guaranteed. That should help minimize search area for the pronlem) – Tom – 2014-06-08T12:40:54.610

Asked: 2014-05-28T10:34:45.460

Viewed: 12 607 times

Active: 2014-06-02T11:39:00.717