Alternatives to make remote connections to office network VPN work when port 1723TCP is blocked - Windows (both client and server) version.

1

2

I am a consultant and a cuple of my clients' guest WiFi networks, do not allow me to use port 1723. It is somehow blocked. I know this because, if I use my cell phone as a wifi access point, I can establish a connection. Problem is, cell coverage sucks so bad, my connection drops every 2 minutes, prohibiting me from doing any work.

I have a home office that I need to VPN into. My config is as follows: (when I am at problem client sites that is)

      (1)               (2)            (3)               (4)                     (5)
My win XP laptop --> guest wifi --> Internet --> AT&T U-verse gateway --> My win-7 machine

I need to go from (1) to (5) and port 1723 between (1) and (2) is blocked. I need to use a different port like 443 which is allowed pretty much everywhere, but can not find where to change it on Win XP. Can anyone shed a light on, how I can accom[lish this ?

Scott

Posted 2014-02-11T01:06:33.327

Reputation: 31

Answers

0

You are talking, obviously, about a VPN PPTP connection, the usual method in Windows. I would really like to solve this too, but I think this is not possible.
Your best chance is to use OpenVPN instead of PPTP. Sadly, OpenVPN is much more hard to configure, but works on your desired port.
This is what I have tested and know that does not work:
1.- Port redirection using firewall.
2.- Port redirection using simple software like PortForward (command line and GUI).
3.- Port redirection using advanced programs, like WinGate (GUI).
4.- Port tunneling (encrypted, using port 22TCP) through SSH (you need first some SSH server like Bitvise SSH Server in your Windows 7 remote machine), like in: 

putty RemoteSSHServer -L 1723:VPNServer:1723

(after that line you just need to create a VPN connection to "localhost", so redirection to your remote VPN server is done through the cyphered SSH tunnel using port 22TCP, not 1723, so it will not be blocked, we suppose).
But in all these above cases the connection to the server starts to negotiate, but does not get established (at least on my tests).
The issue lies deeply at the PPTP protocol (now a bit obsolete and insecure), mainly because GRE type (not TCP nor UDP) packages need to pass through the connection, and due too to the problem that nearly every VPN PPTP client (and even every server) uses 1723TCP port to establish connections, with no possibility to change this port (I have tested a few of these programs).
I would really like to solve this too, but I think that changing 1723 port for PPTP is not possible when using Windows. A Linux client could establish a VPN through SSH connection to any (Windows or Linux, I think) SSH remote server. SSH works too on your desired port.
- EDIT: As far as I know, there are no Windows client capable of creating VPN network interfaces through SSH.
- EDIT2: Upon @Scott's request, here are the steps for SSH Tunneling as a replacement for VPN PPTP:

  • Installing Bitvise SSH Server (on your remote Windows 7) via shell (assuming you have a "RegistrationCode"; install via GUI and select Personal License if you don't):

    • BvSshServer-Inst.exe -InstallDir=c:\BitviseSSHServer -ActivationCode=[RegistrationCode] -AcceptEULA -startService
    • [Reboot operating system]
    • Bitvise SSH Server Control Panel --> Easy Settings --> Open Windows Firewall --> Open Port(s) to any scope
    • Bitvise SSH Server Control Panel --> Easy Settings --> Open Windows Firewall --> Listening Port --> [someone, say 11122]
    • Forward 11122TCP port in your router to this Windows machine.

  • Connecting (on your local Windows XP) to remote SSH Windows Server using putty as SSH client. Assuming SSH Server has VNC Server (5900TCP) and FTP Server (21TCP) listening:

    • putty ServerRouterPublicIPOrDomain -P 11122 -L 15900:localhost:5900 -L 10021:localhost:21
    • [Enter Login/Password of your Windows administrator account]

  • To connect to your remote server via the two established SSH (encrypted, of course) tunnels for VNC and FTP respectively (as long as Putty keeps running to maintain the tunnels open):

    • (Any) VNC Viewer to:
      • Server: localhost
      • Port: 15900
    • (Any) FTP Client to:
      • Server: localhost
      • Port: 10021

  • If you have more computers or devices on the remote (Server) network and you need to access them too, it is possible to redirect further tunnel(s) to anyone of them. This example adds web management interface access to your office network (the location of the SSH server computer) router, on IP, say, 192.168.0.1 and, as usual, 80TCP port:

    • putty ServerRouterPublicIPOrDomain -P 11122 -L 15900:localhost:5900 -L 10021:localhost:21 -L 10080:192.168.0.1:80

    • In this case, to connect to your remote router for management, navigate to:

    http://localhost:10080

SSH Tunnels do simulate fine a VPN network if there are no many devices to access on remote side.

Sopalajo de Arrierez

Posted 2014-02-11T01:06:33.327

Reputation: 5 328

Thank you for your well thought-out answer. I have a laptop with ubuntu linux loaded already but I never fired it up since I relocated. I can do that if it is going to make things easier, but the problem still remains for windows client. My server can be anything (reasonable of course) My client machine is at WinXP SP1, for reasons which are very hard to explain but it has to remain that way for the foreseeable future. WHich brings me back to the need for a 3rd party VPN client. Can I use PuTTY on windows to tunnel thru by any chance (if I set up ssh VPN server @ home that is) ? – Scott – 2014-02-11T22:40:46.850

You can just use SSH, even keeping both Windows (server and client), but it depends on what services you do need from your remote server. If you establish a VPN connection to your server for accesing remote console (like telnet, 20TCP), remote display (like VNC, 5900TCP), remote files (like FTP, 21TCP), or remote web (HTTP, 80TCP), all those ports are easy to forward just tunneling them with SSH. This is my preferred method to access my server when I am far of it: powerful and not difficult to configure. – Sopalajo de Arrierez – 2014-02-12T01:42:53.730

However, if you have a complete network whenever your remote server is and you need full access to all devices there (printers, NAS, more computers... etc), then the process gets a bit more complicated (this is: more complicated as the number of devices in your network increases). It is still possible, but in this second case, you could need OpenVPN: the ideal solution. This method is very powerful, but a bit more long to configure (generating keys, edit configuration files, installing drivers... in both the server and the client). – Sopalajo de Arrierez – 2014-02-12T01:43:29.077

Whenever you use SSH or OpenVPN to replace VPN PPTP, the selection of used ports will be in your hands completely. So your blocking problems will finish. As long as I have no much experience with OpenVPN, I can not help you much with configuration, but if you prefer SSH as an alternative to PPTP 1723TCP port forwarding, I can edit my answer and write down a brief explanation on configuring Bitvise SSH Server and Putty SSH client (just a command line, this one). – Sopalajo de Arrierez – 2014-02-12T01:44:42.673

Total network acces that OpenVPN would provide would be great, so that I don't need to think twice about what I can and can not do, most of my need is to remote desktop into different windows laptops. So, it is safe to say, the ssh tunneling connectivity should suffice most of the time. Actually, all I need right now is to run teamviewer from my XP SP1 laptop and be able to access other laptops at my home office, running teamviewer as well. it is blocked at places not letting me have port 1723 access. So, a write-up about ssh server cfg (& the client of course) on windows is appreciated. – Scott – 2014-02-12T16:42:43.577

No problem for me, but TeamViewer does not need any open port nor VPN (http://www.teamviewer.com/en/help/334-Which-ports-are-used-by-TeamViewer.aspx). You should automatically be able to connect to your TeamViewer server without need of VPN.

– Sopalajo de Arrierez – 2014-02-13T20:57:46.203

Thank you for the explanation of bitwise first and foremost. But uinfortunately, the firewall in one of my clients, where I am having connection problems, is, deliberately blocking the teamviewer.com and it IP address block somehow. It started few weeks ago when they switched from bluecoat webfiltering to something else, which I can not pinpoint. Before then, I could use teamviewer fine and dandy. Now, the tray icon comes with a red exclamation mark on it and when I open the gui, I get Not ready check your connection message. – Scott – 2014-02-21T21:29:29.127

Yet, logmein agent is happily working but they abandoned their free service. Also, I can go to the VNC server with no problem but I am having problems with how TightVNC server handles keyboard bindings. Sometimes it acts like ctrl key is stuck and it is throwing some of my processes off the track. Hence the need for teamviewer to run. I just tried free version of cyberghost VPN, which says it uses OpenVPN via their proprietary app, but it also failed to connect. – Scott – 2014-02-21T21:32:37.580

So, with my desparate need for teamviewer, I think I am still up the creek without a paddle, even with the bitwise configuration you gave. Right ? – Scott – 2014-02-21T21:33:42.930

You can try another VNC Server, like RealVNC Server. I use it and have no problem with key stucking, at least from Windows to Windows. – Sopalajo de Arrierez – 2014-02-22T01:40:30.380

realVNC is next in the pipeline but I have a bad feeling that windows XP is causiong this bad key mapping rather than VNC server or viewer. But we shall see soon I hope. I Just need a day to test it – Scott – 2014-02-22T04:55:15.550

-1

Kinda need more info about your VPN server, in order to help you here.

Alternativly you can set up an VPN server on your local network, using http://openvpn.net/index.php/access-server/download-openvpn-as-sw.html (the user interface on there Access-server application are really nice if your not familiar whit Linux. Its easy to change the ports from the web interface.)

and then use the http://openvpn.net/index.php/access-server/download-openvpn-as-sw/357.html to connect to the server.

BD Bear

Posted 2014-02-11T01:06:33.327

Reputation: 101

You cant change the port on the client, its the local firewall "NAT" or the server that controls what ports you are communicating to the VPN server whit. – BD Bear – 2014-02-11T02:36:17.290

Asked: 2014-02-11T01:06:33.327

Viewed: 1 497 times

Active: 2014-02-14T02:18:19.333