Jump to content
Not connected, Your IP: 18.188.227.64
tranquivox69

Eddie interaction with Windows Firewall

Recommended Posts

Probably a stupid question... I use Win 10 and I would like to understand if the Windows Firewall settings interact with the VPN or not.

If I have a port forwarded in the Client Area, does that port need to be open in the Windows Firewall too? I suppose it means: does the encrypted-decrypted traffic go through the Windows Firewall or it bypasses it?

I have thought so far that it went through the firewall, hence I opened the ports there. But thinking about it, today, made me doubt my reasoning.

Share this post


Link to post

My experiments lead me to believe that yes, Windows Firewall is in use even for Eddie.

One more question could be: is it possible to make the WinTun connection "Public", in Windows lingo? Currently is seen as Private but it does not appear in the Network/Ethernet settings, so I can't change its profile.
This means that if I open ports for the VPN I have to make them available for my ISP connection too.

The open/private definitions matter relatively, it would be nice to have a way to differentiate between ISP and VPN for Windows Firewall rules is what I'm trying to say.

Share this post


Link to post
Posted ... (edited)
The contents of a VPN tunnel bypass the machine's firewall. You do not need to (and generally should not) open your machine's ports corresponding to what you have open on the AirVPN Port Forwarding page.

The implementation of the AirVPN tunnel typically uses port 443 (OpenVPN) or port 1637 (wireguard) in the Windows world, but those connections are initiated from within Windows, and default firewall settings allow replies through with no action on your part, so you can ignore that. 

Any connection to the Air-forwarded port at the Air server is forwarded through the tunnel to the Windows TUN or wg interface, which sits inside the firewall,  and so is encrypted. Windows doesn't even know about that use of the port you set up at Air. Edited ... by SurprisedItWorks
correction

Share this post


Link to post
1 hour ago, tranquivox69 said:

My experiments lead me to believe that yes, Windows Firewall is in use even for Eddie.

One more question could be: is it possible to make the WinTun connection "Public", in Windows lingo? Currently is seen as Private but it does not appear in the Network/Ethernet settings, so I can't change its profile.
This means that if I open ports for the VPN I have to make them available for my ISP connection too.

The open/private definitions matter relatively, it would be nice to have a way to differentiate between ISP and VPN for Windows Firewall rules is what I'm trying to say.


You definitely will need to open a port. You can restrict it to only the torrent client very easily. See below. You could also use the GUI to modify the rule that gets added by the method below to restrict to a specific port number or local address or subnet.

https://airvpn.org/forums/topic/47259-qbittorrent-not-seeding/?tab=comments#comment-111500
 
On 8/21/2020 at 12:54 PM, NaDre said:


Windows will consider the OpenVPN network interface to be a "public" network. So for port forwarding to work, your torrent client needs Windows Firewall permission to receive connections on a "public" network. A simple way to do this is to remove the existing firewall entries for the program. Then when the program is restarted you will be prompted again asking whether to allow connections from "private" and "public" networks. To start Windows Firewall you can find it the start menu, enter "WF.msc" in a command window or:

  • right mouse-click the Windows "Start" button
  • select "Run"
  • enter "WF.msc"
In "Inbound Rules" sort by "Program". Find your client, right-mouse click and "Delete". There is probably one entry for TCP and one for UDP.

Or just change the entry to make it work. But as I said it may be easier to just remove the existing rules and use the prompt that comes up when you start the client.
 

Share this post


Link to post
1 hour ago, SurprisedItWorks said:
The contents of a VPN tunnel bypass the machine's firewall. You do not need to (and generally should not) open your machine's ports corresponding to what you have open on the AirVPN Port Forwarding page.

The implementation of the AirVPN tunnel typically uses port 443 (OpenVPN) or port 1637 (wireguard) in the Windows world, but those connections are initiated from within Windows, and default firewall settings allow replies through with no action on your part, so you can ignore that. 

Any connection to the Air-forwarded port at the Air server is forwarded through the tunnel to the Windows TUN or wg interface, which sits inside the firewall,  and so is encrypted. Windows doesn't even know about that use of the port you set up at Air.

Your reply states exactly the opposite of the following answer :)

Share this post


Link to post
1 minute ago, tranquivox69 said:

Your reply states exactly the opposite as the previous answer :)

I know.

It is true that you do not have to set up any port forwarding in your router. But Windows Firewall is still an issue. A port must be opened.
 

Share this post


Link to post
9 minutes ago, NaDre said:

I know.

It is true that you do not have to set up any port forwarding in your router. But Windows Firewall is still an issue. A port must be opened.
 

Ok, now I'm confused. I've disabled the rules for the two bittorrent clients I use. Ports are not opened on the router, ports are not open on the firewall. I check with ipleak torrent address detection and it goes through the VPN. I download torrents and they work. The only ports open are those on AirVPN port forwarding. But you state that "a port must be opened". What gives? :)

Share this post


Link to post
22 minutes ago, tranquivox69 said:

Ok, now I'm confused. I've disabled the rules for the two bittorrent clients I use. Ports are not opened on the router, ports are not open on the firewall. I check with ipleak torrent address detection and it goes through the VPN. I download torrents and they work. The only ports open are those on AirVPN port forwarding. But you state that "a port must be opened". What gives? :)

Incoming connections will be blocked by Windows Firewall unless you permit them. Whether it is the real interface or the VPN interface. So your torrent client will not be connectable. Did you try the port testing at AirVPN? If you do not care about being connectable, then there was no reason to forward a port at AirVPN.
 

Share this post


Link to post
5 hours ago, NaDre said:

Incoming connections will be blocked by Windows Firewall unless you permit them. Whether it is the real interface or the VPN interface. So your torrent client will not be connectable. Did you try the port testing at AirVPN? If you do not care about being connectable, then there was no reason to forward a port at AirVPN.
 

Uhm... more confused than ever. Port testing does in fact show me as unreachable. Some sort of "passive mode" like DC++ has could be at work, maybe? Because if I use the torrent checker at IPleak, it works, displaying my AirVPN IP and I'm downloading and uploading too from torrents.

Which brings me back to the other question I had: how can I set things so that the WinTun interface is seen by Windows as Public/Private. Is there anywhere I can configure this?

Share this post


Link to post

Found this:
 

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
Change "Category" from 0 to 1 (the opposite in my case)

Share this post


Link to post
4 minutes ago, Marasuma said:

Just in case you weren't, make sure your torrent application is running before testing open port thing

Yup, I was aware of that, thanks!

Didn't know that was doable through group policy editor (I have W10 Pro, I can access that). Where exactly?

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...