none
OpenVPN TAP and Windows Firewall

    Question

  • Hello,

    I'm having trouble getting the network profiling to work with the TAP adapter installed by OpenVPN.

    Software: OpenVPN 2.1 RC (latest version)
    OS: Windows 7 Ultimate

    I've tried numerous fixes to get this to work:
    -Used a script to try and set the network profile via Powershell.
    -Used a script to change the network interface NDISType.
    -Manually unchecking the public profile from interfacing with the TAP adapter (Local Area Connection 2).

    My TAP adapter is getting the profile for "Public" when it needs to get the profile for "Work".

    Thanks if you can help me out with this.
    Monday, September 14, 2009 10:05 PM

Answers

  • I suspect that it is because the rules of Public Network. How do you make the following settings?

    Allow HTTPS
    Allow DNS
    Allow ICMP
    Allow VPN Software out

    I suggest that you turn off firewall for Local Area Connection and check the result. You may do it from here.

    Or change the Firewall State to Off from the drop-down list.

    If it works this time, you need to change the settings in the Public profile. You can choose allowed programs from here.

     

    Wednesday, September 23, 2009 7:28 AM
    Moderator

All replies

  • Did you adjust settings in Control Panel\All Control Panel Items\Windows Firewall\Allowed Programs?

    Otherwise you may try the following method.

    1. Open “Control Panel\All Control Panel Items\Windows Firewall”.
    2. In the “Inbound Rules”, find the entries related to the VPN connection. You will see that each policy can be for one or all of the profiles.
    3. Right-click on it and change related settings.
    4. You can also change rules in “Outbound Rules”.


    Arthur Xie - MSFT
    • Proposed as answer by Bart Janssens Thursday, October 10, 2013 6:37 AM
    Thursday, September 17, 2009 9:58 AM
    Moderator
  • Hi Arthur,

    I've tried enabling and disabling each of the firewall rules for each connection. I've also tried setting the device adapter to TAP mode vs TUN mode (to make it appear more as a LAN connection than a routed connection).

    It's a no go.

    Here's my ruleset, a rundown:

    Public Profile:
    Outbound Default BLOCK
    Inbound Default BLOCK
    Allow HTTPS
    Allow DNS
    Allow ICMP
    Allow VPN Software out

    Private Profile:
    Outbound Default ALLOW
    Inbound Default ALLOW

    Windows Firewall identifies the TAP connection as a Public profile connection from the start, and doesn't allow me to change it. In order to get the network to identify properly I do the following:

    route delete 0.0.0.0 (delete all default routes)
    netsh int ipv4 set address name="Local Area Connection 2" static 10.8.0.8 255.255.255.0 18.8.0.1
    netsh int ipv4 set dns name="Local Area Connection 2" static 208.67.222.222

    The preceding commands then have my networks identified properly. Local Area Connection, the physical connection to my untrusted networks, is a Public profile and the TAP adapter, Local Area Connection 2, gets thrown into the "Home" profile.

    The problem is that connections still aren't getting out except for the rules I've allowed on the public profile. If I set PUBLIC to Default BLOCK, the only thing that gets out (now routed over the VPN connection) are the things I've explicitly allowed.

    If I go in and add a specific rule for the Private Profile to allow, nothing still gets out.

    If I fully disable Windows Firewall, everything gets out and gets routed properly. I'm able to connect to the internet via browser, applications, etc.
    Monday, September 21, 2009 12:05 PM
  • I suspect that it is because the rules of Public Network. How do you make the following settings?

    Allow HTTPS
    Allow DNS
    Allow ICMP
    Allow VPN Software out

    I suggest that you turn off firewall for Local Area Connection and check the result. You may do it from here.

    Or change the Firewall State to Off from the drop-down list.

    If it works this time, you need to change the settings in the Public profile. You can choose allowed programs from here.

     

    Wednesday, September 23, 2009 7:28 AM
    Moderator
  • Hi Arthur,

    It's been a while since I've visited this issue but would like to revisit it. I thank you for your response, but it has not helped. I have made sure to uncheck the Public Profile from "Local Area Connection 2", which is the OpenVPN TUN Adapter. The Public profile settings still get applied to this connection.
    Tuesday, October 20, 2009 2:47 PM
  • Hi,

    I'd like to leave my contribution. See what worked on my case ... Windows 7 and Windows 8...

    I spend a lot of time with this problem of client inbound conectivity.

    Disabling the TAP interface on firewall works fine, buts it's almost the same of turn off firewall in the VPN context. The VPN machines are running in different security contexts and some can affect others.

    I tried the configuration of "default gateway" what recognize the network as a "Work Network" (just in Win7, not on Win8), and  nevertheless did not PING!

    Manually add a "*NdisDeviceType" record in the registry also not worked at Win8.

    So, seeing mindfully Windows Firewall configuration I saw another scope configurations rather than just profiles, so I tried run another service rather than PING and what was my surprise when it worked properly, even in "Unidentified Networks" and "Public Profile"!

    So, I tried to isolate de PING problem, and the configuration that make it works was the following: The default Windows Firewall entry thats enable outside IPv4 PING is "File and Printer Sharing (Echo Request - ICMv4-In)", so in his properties, I clicked on "Scope", and in "Remote IP Address" I changed from "Local subnet" to "Any IP address", and this did make PING work.

    Thanks,

    Vítor

    Vítor

    Friday, March 14, 2014 9:53 PM
  • Thank you for this information!

    Enabling "File and Printer Sharing: Public" worked for me. I am now able to ping my remote Windows OpenVPN server. Without doing so, I could only ping from server to client, but not vice versa.

    I knew this was a firewall issue because if I disabled the firewall, I could ping both ways (client to server and server to client).

    To enable File and Printer Sharing (Public):

    Click Start -> Control Panel -> Windows Firewall -> Allow a program or feature through Windows Firewall; scroll down to File Printer and Sharing; click to enable Public.

    Monday, March 24, 2014 11:45 PM