Eddie interaction with Windows Firewall

[tranquivox69 27]

Probably a stupid question... I use Win 10 and I would like to understand if the Windows Firewall settings interact with the VPN or not.

If I have a port forwarded in the Client Area, does that port need to be open in the Windows Firewall too? I suppose it means: does the encrypted-decrypted traffic go through the Windows Firewall or it bypasses it?

I have thought so far that it went through the firewall, hence I opened the ports there. But thinking about it, today, made me doubt my reasoning.

[tranquivox69 27]

My experiments lead me to believe that yes, Windows Firewall is in use even for Eddie.

One more question could be: is it possible to make the WinTun connection "Public", in Windows lingo? Currently is seen as Private but it does not appear in the Network/Ethernet settings, so I can't change its profile.
This means that if I open ports for the VPN I have to make them available for my ISP connection too.

The open/private definitions matter relatively, it would be nice to have a way to differentiate between ISP and VPN for Windows Firewall rules is what I'm trying to say.

[SurprisedItWorks 49]

The contents of a VPN tunnel bypass the machine's firewall. You do not need to (and generally should not) open your machine's ports corresponding to what you have open on the AirVPN Port Forwarding page.

The implementation of the AirVPN tunnel typically uses port 443 (OpenVPN) or port 1637 (wireguard) in the Windows world, but those connections are initiated from within Windows, and default firewall settings allow replies through with no action on your part, so you can ignore that. 

Any connection to the Air-forwarded port at the Air server is forwarded through the tunnel to the Windows TUN or wg interface, which sits inside the firewall,  and so is encrypted. Windows doesn't even know about that use of the port you set up at Air. Edited ... by SurprisedItWorks
correction

[NaDre 157]

1 hour ago, tranquivox69 said:

My experiments lead me to believe that yes, Windows Firewall is in use even for Eddie.

One more question could be: is it possible to make the WinTun connection "Public", in Windows lingo? Currently is seen as Private but it does not appear in the Network/Ethernet settings, so I can't change its profile.
This means that if I open ports for the VPN I have to make them available for my ISP connection too.

The open/private definitions matter relatively, it would be nice to have a way to differentiate between ISP and VPN for Windows Firewall rules is what I'm trying to say.

You definitely will need to open a port. You can restrict it to only the torrent client very easily. See below. You could also use the GUI to modify the rule that gets added by the method below to restrict to a specific port number or local address or subnet.

https://airvpn.org/forums/topic/47259-qbittorrent-not-seeding/?tab=comments#comment-111500
 

On 8/21/2020 at 12:54 PM, NaDre said:

Windows will consider the OpenVPN network interface to be a "public" network. So for port forwarding to work, your torrent client needs Windows Firewall permission to receive connections on a "public" network. A simple way to do this is to remove the existing firewall entries for the program. Then when the program is restarted you will be prompted again asking whether to allow connections from "private" and "public" networks. To start Windows Firewall you can find it the start menu, enter "WF.msc" in a command window or:

• right mouse-click the Windows "Start" button
• select "Run"
• enter "WF.msc"

In "Inbound Rules" sort by "Program". Find your client, right-mouse click and "Delete". There is probably one entry for TCP and one for UDP.

Or just change the entry to make it work. But as I said it may be easier to just remove the existing rules and use the prompt that comes up when you start the client.
 

[tranquivox69 27]

1 hour ago, SurprisedItWorks said:

The contents of a VPN tunnel bypass the machine's firewall. You do not need to (and generally should not) open your machine's ports corresponding to what you have open on the AirVPN Port Forwarding page.

The implementation of the AirVPN tunnel typically uses port 443 (OpenVPN) or port 1637 (wireguard) in the Windows world, but those connections are initiated from within Windows, and default firewall settings allow replies through with no action on your part, so you can ignore that. 

Any connection to the Air-forwarded port at the Air server is forwarded through the tunnel to the Windows TUN or wg interface, which sits inside the firewall,  and so is encrypted. Windows doesn't even know about that use of the port you set up at Air.

Your reply states exactly the opposite of the following answer

[NaDre 157]

1 minute ago, tranquivox69 said:

Your reply states exactly the opposite as the previous answer

I know.

It is true that you do not have to set up any port forwarding in your router. But Windows Firewall is still an issue. A port must be opened.
 

[tranquivox69 27]

9 minutes ago, NaDre said:

I know.

It is true that you do not have to set up any port forwarding in your router. But Windows Firewall is still an issue. A port must be opened.
 

Ok, now I'm confused. I've disabled the rules for the two bittorrent clients I use. Ports are not opened on the router, ports are not open on the firewall. I check with ipleak torrent address detection and it goes through the VPN. I download torrents and they work. The only ports open are those on AirVPN port forwarding. But you state that "a port must be opened". What gives?

[NaDre 157]

22 minutes ago, tranquivox69 said:

Ok, now I'm confused. I've disabled the rules for the two bittorrent clients I use. Ports are not opened on the router, ports are not open on the firewall. I check with ipleak torrent address detection and it goes through the VPN. I download torrents and they work. The only ports open are those on AirVPN port forwarding. But you state that "a port must be opened". What gives?

Incoming connections will be blocked by Windows Firewall unless you permit them. Whether it is the real interface or the VPN interface. So your torrent client will not be connectable. Did you try the port testing at AirVPN? If you do not care about being connectable, then there was no reason to forward a port at AirVPN.
 

[tranquivox69 27]

5 hours ago, NaDre said:

Incoming connections will be blocked by Windows Firewall unless you permit them. Whether it is the real interface or the VPN interface. So your torrent client will not be connectable. Did you try the port testing at AirVPN? If you do not care about being connectable, then there was no reason to forward a port at AirVPN.
 

Uhm... more confused than ever. Port testing does in fact show me as unreachable. Some sort of "passive mode" like DC++ has could be at work, maybe? Because if I use the torrent checker at IPleak, it works, displaying my AirVPN IP and I'm downloading and uploading too from torrents.

Which brings me back to the other question I had: how can I set things so that the WinTun interface is seen by Windows as Public/Private. Is there anywhere I can configure this?

[tranquivox69 27]

I mean...



As you can see WinTun AirVPN is set as a Private network. I'd like to make it Public.

[tranquivox69 27]

Found this:
 

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
Change "Category" from 0 to 1 (the opposite in my case)

[tranquivox69 27]

4 minutes ago, Marasuma said:

Just in case you weren't, make sure your torrent application is running before testing open port thing

Yup, I was aware of that, thanks!

Didn't know that was doable through group policy editor (I have W10 Pro, I can access that). Where exactly?