How-to: Windows Firewall and Port-forwarding

[Stalinium 43]

The port-forwarding page was updated very recently (neat!) and there's now an option to test whether the port is open and reachable. I did test it: unreachable!
Darn, I must've changed/enabled the firewall again. Disable it? No, I will show you the proper way how to configure Windows Firewall for port-forwarding.
Screenshots attached below
 

1. Go to "Control Panel\All Control Panel Items\Windows Firewall". You will see the Home/Work and Public networks. Find out which one is your OpenVPN connection to AirVPN (mine is properly named, yours will not be), preferably you should've set it as a public network like me.
   1. if the VPN connection is not classified as a public network, change it now. There's no reason to allow Windows to be promiscuous with the local services like printing and file sharing on the VPN network.
2. Read what is says about incoming connections: "Block all connections to programs that are not on the list of allowed programs". We will need to change that
3. On the left click "Advanced settings" (opens "Windows Firewall with Advanced Security") - OR skip steps 1,2: Press Win+R keys and run "WF.msc"
4. You'll see the same thing as in 3: "Public profile is Active - Inbound connections that do not match a rule are blocked" and "Outbound connections that do not match a rule are allowed"
   1. This means we only need to create inbound rules to allow incoming connections (port-forwarding)
5. [Allow Program] Go to "Inbound Rules" -> New Rule...
   1. Rule Type = Program, Next
   2. This program path = choose the program's .exe file. Like "C:\Gameserver\server.exe", NEXT
      1. For Minecraft that's either java.exe or javaw.exe in Program Files. Windows: cmd.exe and run "where java" to find out the path. The first line is your answer
   3. Action = Allow the connection, Next
   4. Profile = Check the profile where AirVPN adapter is (e.g. Public). You can select all three checkboxes, it's ok.
   5. Name = "MyServer (allow program)"
   6. Your new entry will appear at the top. When you next visit the settings, it will be sorted alphabetically.
6. [Allow ports] Only doing (5) was not enough to get port-forwarding to work, I had to explicitly allow the ports. Go to "Inbound Rules" -> New Rule...
   1. Rule Type = Port, Next
   2. TCP/UDP (repeat these steps to enable TCP AND UDP with 2 different rules)
   3. Specific local ports: Enter the port from port-forwarding page. If you specified a different local port there, enter the local port in Firewall settings.
   4. Next
   5. Allow the connection, Next
   6. Profile = See above or check all
   7. Name = "MyServer (allow TCP _port#_)
   8. Repeat these steps to allow UDP

Now port-forwarding should work and inbound connections be accepted by your server or content-sharing application.

This guide was sponsored by windows 7 gang

Final result (I forgot to allow UDP 1234 too)

Go to Windows Firewall, click advanced settings (left):

Create new Inbound rule to Allow program (step 5):

Now the individual TCP/UDP ports (step 6)

[NaDre 154]

Windows will consider the OpenVPN network interface to be a "public" network. But this is not checked by default in the prompt you get when you first start a program that does networking.

So a shorter and good enough way might be to:

1. Stop the torrent client.

2. Delete any firewall rules for the torrent client program. No great understanding needed for this.

To start Windows Firewall you can find it the start menu, enter "WF.msc" in a command window or:

• right mouse-click the Windows "Start" button
• select "Run"
• enter "WF.msc"

In "Inbound Rules" sort by "Program". Find your client, right-mouse click and "Delete". There is probably one entry for TCP and one for UDP.

3. Restart the torrent client.

4. When you get the prompt from Windows Firewall about whether to allow incoming connections, be sure to choose "public" in addition to "private". This will create new firewall rules for the torrent client program.

EDIT: Another post about this here:

https://airvpn.org/forums/topic/47259-qbittorrent-not-seeding/?tab=comments#comment-111500
 

[Stalinium 43]

17 hours ago, Stalinium said:

[Allow ports] Only doing (5) was not enough to get port-forwarding to work, I had to explicitly allow the ports. Go to "Inbound Rules" -> New Rule...

@NaDre I've already had the program allowed for Private and Public networks and it was not enough. I actually had to manually add the TCP+UDP ports as shown in the guide. Thank you for wf.msc

[OpenSourcerer 1359]

I'll tell you how to fix that. The shortest way is in Powershell:

> Set-NetFirewallProfile -Profile Domain, Private, Public -Enabled false

and doing something with more sense in your life because ultimately your router (AirVPN if connected) is your firewall.

[NaDre 154]

56 minutes ago, OpenSourcerer said:

I'll tell you how to fix that. The shortest way is in Powershell:

> Set-NetFirewallProfile -Profile Domain, Private, Public -Enabled false

and doing something with more sense in your life because ultimately your router (AirVPN if connected) is your firewall.

I think most routers still have UPnP and NAT-PMP enabled by default. I bet many (most?) AirVPN customers have never changed any setting  in their router. So leaving Windows Firewall enabled might be a good idea? And for typical Windows users never doing any changes to Windows Firewall other than allowing incoming ports for a specific program might be wise? Are they going to remember in 3 months what they did?
 

[OpenSourcerer 1359]

3 hours ago, NaDre said:

I think most routers still have UPnP and NAT-PMP enabled by default. I bet many (most?) AirVPN customers have never changed any setting  in their router. So leaving Windows Firewall enabled might be a good idea?

The sensible setting would be to allow practically anything for compatibility and acceptability reasons ("user friendliness") because of exactly that: Most people don't even know a firewall is running, let alone what a firewall is. The guide above should really be followed only by those who know the consequences of their actions.

Also, if a port is opened through either protocols, there's still a chance whatever program requested the port to be opened might also have configured the firewall to accept that. It happens quicker than you might think, the UAC dialogue is so spammy, people instinctively click yes, thus elevating the program and letting it do whatever.
 

22 hours ago, Stalinium said:

This guide was sponsored by windows 7 gang

You run Windows 7 still? You like to play with fire, don't you? » https://distrochooser.de/en/