Firewall (client router or client OS) blocking outgoing VPN?
My colleague cannot access our office PiVPN from her home but I can on my laptop from my home.
So by outgoing VPN, I mean the client trying to connect to the VPN server here, and something inbetween is maybe blocking it. We successfully tested both laptops (both Linux) at the office going online through a mobile hotspot from my phone, and both had access, so I guess client settings on her laptop should be fine, but I was thinking maybe my colleague's router at home could block her outgoing VPN from reaching the Pi at the office, is that possible? If yes, what settings would I need to check on that router? Both clients are configured using OpenVPN. I've also seen reports of Windows firewall blocking clients' VPN, so I thought it might be something on my colleague's OS (Lubuntu 18.04) that's blocking it? |
Quote:
Quote:
|
It is a ZTE router provided from 3 Austria, branded "3 Webgate" probably 3rd iteration: https://maxwireless.de/2014/3webgate...zte-gefertigt/
I found there is a thing called VPN passthrough, apparently a feature when the router allows it. I haven't been able to find a setting for it though on my Huawei B593s-22 router, which is not blocking my VPN client from going out. EDIT: I'm on the router's web interface now, and it doesn't seem to provide any setting for enabling VPN passthrough. It also isn't showing any new available firmware |
Quote:
Quote:
https://nordvpn.com/blog/vpn-passthrough/ Not relevant for OpenVPN. Is your server listening on port 1194, or some other? Perhaps check that this router isn't blocking outgoing connection on that particular port. There is a chance that it is MTU related, specific to the router/ISP network. This would explain why there were no issues during the testing via another network. Sometimes it is necessary to tune maximum MTU on the client end (tun-mtu parameter in client config) to prevent packet fragmentation occurring. Mentioned here... https://forum.netgate.com/topic/9288...t-not-4g-lte/7 From the OpenVPN Reference Manual... Quote:
|
I'm not sure if I understood how to set the tun-mtu option.
It's supposed to go in the .ovpn configuration file that I generated on the server and imported to the client, yes? Mine looks like this: Code:
client Code:
mtu-tun 1300 Also, I'd have to re-import that file then? I did it with the network-manager GUI. |
Maybe I should mention that on my phone I have the same ISP/carrier as the offending LTE router, and I can connect over that too, using my phone as a mobile hotspot.
If I understand your suggestion about the mtu setting correctly, I should do this in the client config, which means nothing changes on the router. If MTU size is the problem, but I can fix it on the client, how does the router or even the ISP factor in? |
Quote:
https://openvpn.net/vpn-server-resou...-command-line/ Quote:
|
Thanks for these informations!
The server is a Raspberry Pi running PiVPN, and I am the administrator of the small office network that we're trying VPN into. Now there is a lot about of ports mentioned, but unfortunately I seem to have a poor understanding of how this works, because: port 443 on which device? There are three (maybe 4?) devices here this could be referring to: the client, the server and the client-side router (and maybe also the server-side router)? My understanding - correct my if I'm wrong - is that traffic can go out from one host (e.g. the VPN client) through any port and arrive at its destination (e.g. the VPN server) through an entirely different one...? Quote:
So what I'm asking is: this port on which device? If you're talking about the RPi, it's not used for anything else but for managing the PiVPN. |
Btw my colleague said if the router was the problem and we can't fix it on this device, she could just get a newer model from the ISP/carrier. Could this solve the problem? If yes, what specification of the new router would we need to look out for?
|
Worth a shot I guess, but I can't/won't promise anything here. It's already a surprise to me that it would block outgoing traffic on that port. You could examine the client OpenVPN logs to get a better idea on what is happening. Since your colleague uses NetworkManager, you could open a terminal and run
Code:
sudo journalctl -fu NetworkManager |
Just my $.02 :twocents:
I once had an ISP (satellite) that disallowed ANY continuous connections through their service unless you paid through the nose for that service. I could connect sometimes with ssh for seconds and sometimes not at all. I wonder if the problem here may be similar. You have said that connection works through your mobile hotspot so it is not configuration of the client that is affecting it. That leaves only the router or isp to interfere. Maybe try a different router, or talk to the ISPs tech support, or both. |
I did a cross-over test, using both my and my colleague's laptop to connect to the PiVPN over both my and my colleague's LTE router.
Both laptops get a connection over my router, and both laptops fail to connect over her router. Would you guys agree this is proof that the router is at fault? |
Quote:
I would suggest that you do a detailed comparison of the router configs and see if you can identify any differences that might affect the vpn. To see if it is firewall related a (short term) disabling of the router firewall could be one troubleshooting step. It could also be a simple IP or domain blockage on the parental control part. Or any one of several other possibilities that will require checking individually to identify. |
I just meant that I can stop worrying about what might be wrong on the client, as the config there is working. Now finding out what setting in the router is causing problems is going to be hard, because these routers provided by the ISPs have branded firmware that is pretty locked down and won't really let you see all that much, let alone tweak things to your liking. Mine for instance won't show me a list of connected devices... If my colleague is finw just getting a newer router, I guess I won't object...
But suppose I did manage to take another shot at the router, what would you look at first? |
All times are GMT -5. The time now is 08:04 AM. |