Friday, February 25, 2011

Allow a VPN Connection in Windows 7 Firewall - Ports to Open - Error 809

If you are using Windows 7 Firewall with outbound traffic restrictions, you may run into problems if you attempt to use a VPN service, receiving Error 809. I block all outbound traffic that does not match an existing rule by default, and ran into some trouble attempting to connect to my VPN.

(NOTE: The instructions below assume some familiarity with modifying rules in the Windows 7 Firewall. If you need some further direction, see this guide, and start at step #4.)

To use an L2TP - based VPN, you must create a rule to allow outbound UDP connections on port 1701. You should apply this to the Private and Public profiles (Domain should not be necessary - but if this fails, try Domain as well).

To use a PPTP - based VPN, the same applies, however you must allow TCP port 1723.

To use an IPSec - based VPN, the same applies, however you must allow UDP port 500.

Some router /  protocol combinations may also require that you modify router settings to allow them. My D-Link DIR-625 has a specific "tick-box" to allow certain protocols, such as PPTP. Your best bet if you use a router is to consult your router manual / your router's settings if opening your port locally is not successful.

10 comments:

PJ said...

hey, I tried this setup, but there is one problem:

When I create a rule to allow TCP connections on 443 for my openVPN connection, I notice that I am still able to browse HTTPS websites.

I want ALL traffic on ALL ports to be blocked when the VPN is not connected.

How can I do this ?

practicalrambler. said...

pokerxpro:

Is the rule to allow traffic on port 443 for the OpenVPN client, or for all applications? If it is for all applications, try limiting its scope to the OpenVPN client alone. I don't use OpenVPN so I can't test it, but it seems to me this should work. :)

Hope this helps!

PJ said...
This comment has been removed by the author.
PJ said...

I had the rule to allow all programs...I just added openvpn.exe to the rule and it seems to have fixed the problem!


Next question I have is:

For some sites (netflix,pandora), I cannot use my VPN.

With the firewall rules in place, of course, I cannot access the web without the VPN connected.

So, the only option I have is to turn OFF the windows firewall for "home network". I don't feel safe turning it off for several hours.

What would you suggest as a work-around ?

(i.e. create different user profiles? or a way to switch rules on and off quickly?)

practicalrambler. said...

Try this: http://practicalrambler.blogspot.com/2011/06/how-to-create-custom-windows-7-firewall.html

PJ said...

thanks ...that link has a very good setup , I was able to get everything setup and working :)

thanks for your write ups, very useful!!

PJ said...

one last thought:

I have 'main' and 'secondary' user accounts in windows 7. Main uses strict fw rules, the other is standard.

when using 2 user accounts with different firewall settings (as your post describes) , is there any chance that the second account could leak internet traffic through my ISP WHILE I am logged into the main profile?

practicalrambler. said...

PJ: As long as you login to only one account at a time, and maintain the strict rules, you should be OK.

TCPView is a good program for monitoring networking connections, consider using it. Best of luck to you. :)

FJ said...

Hello again. Any idea how to allow SSTP to connect after using your guides to block all programs? I have tried port 443 but am getting an error when trying to connect. Everything else is set up correctly.

Thanks.

FJ

practicalrambler. said...

FJ: Ensure you have allowed port 443 for inbound and outbound traffic for your VPN client.

You should also check your router setup (assuming you have a router) for anything related to SSTP - you may have to enable it.

Also, try disabling the firewall briefly and attempting to connect to your VPN. If it works, try a global rule allowing port 443.

My best guesses. :)