Friday, February 25, 2011

Allow a VPN Connection in Windows 7 Firewall - Ports to Open - Error 809

If you are using Windows 7 Firewall with outbound traffic restrictions, you may run into problems if you attempt to use a VPN service, receiving Error 809. I block all outbound traffic that does not match an existing rule by default, and ran into some trouble attempting to connect to my VPN.

(NOTE: The instructions below assume some familiarity with modifying rules in the Windows 7 Firewall. If you need some further direction, see this guide, and start at step #4.)

To use an L2TP - based VPN, you must create a rule to allow outbound UDP connections on port 1701. You should apply this to the Private and Public profiles (Domain should not be necessary - but if this fails, try Domain as well).

To use a PPTP - based VPN, the same applies, however you must allow TCP port 1723.

To use an IPSec - based VPN, the same applies, however you must allow UDP port 500.

Some router /  protocol combinations may also require that you modify router settings to allow them. My D-Link DIR-625 has a specific "tick-box" to allow certain protocols, such as PPTP. Your best bet if you use a router is to consult your router manual / your router's settings if opening your port locally is not successful.

Friday, February 4, 2011

avast! Web Shield and VPN - bypasses VPN connection

I recently changed antivirus programs from Panda Cloud to avast! antivirus. Suddenly, my browser was being allowed through the firewall without any issue no matter what network I was using, despite all the steps I had taken in the guide here. I was baffled, and in fact I didn't connect the installation of avast! with the problem (note to self: when things suddenly stop working, ask self - what changes have I made recently?)

Turns out the avast! program essentially acts as a proxy, passing all HTTP traffic through avast! and then to the Internet - bypassing any rule you have to block the browser from doing so.

Since Windows Firewall allows all outbound connections that do not match a rule - it's gonna get out. So - if you use an antivirus program with a "Web Shield" or similar functionality - you may want to consider disabling that function to prevent leaking one's true IP address.

...of course, that decision is fraught with its own perils...browse carefully!