Which Ports to Unblock for VPN Traffic to Pass

Which Ports to Unblock for VPN Traffic to Pass-Through?

Using a VPN is not a universally accepted idea. For some, using a VPN is the only way their safety can be guaranteed in today’s digital world. Others use VPNs to access services that are not otherwise accessible in their region. There are also those that believe using a VPN means you are taking steps to hide what you are doing. They think this is wrong because people with nothing to hide wouldn’t need such a service.

Regardless of what your views on VPNs are, the underlying truth is that the technology is here to stay. This was indicated by a report done by leading VPN provider VPNMentor.

According to the report, the use of VPNs has continued to increase and had grown substantially in 2017; this was a 185% increase in use from 2016. This was further outlined by the fact that individuals using VPNs have begun to use them more, incorporating them into their everyday activities.

But What is a VPN and Why is it so Important?

Virtual Private Networks, referred to as VPNs, overlay a private network (or internet connection) across a shared or public connection. They allow individuals to receive and send information over public or shared connections as if they were connected directly to a private connection.

Devices or software utilizing a VPN can gain any of the following:

  • Functionality
  • Security
  • Management

Those above are the benefits of being plugged into a private network. But what many people don’t know about the underlying technology is that it was created to enable remote users and subsidiary offices and allowed them to access the files and resources of their company safely.

In a bid to safely secure their information, they would ensure that the data traveled through secure routes. Individuals using VPNs would also require various authentication methods including tokens and passwords methods before they gained access to the network.

Internet users can now hide their online transactions with a VPN. Additionally, they can get around restrictions that are caused by their location or circumvent bans that have been placed on certain content. They can even connect to proxy servers and protect personal information or locations in a bid to stay anonymous.

As mentioned earlier, as VPN popularity increases, so do the number of people who want to see the technology scrapped. Multiple internet sites continue to prevent people from using VPN technology to access their platform.

Using a VPN also requires little to no technical know-how. Some browsers even go as far as pre-installing VPNs on their programs, while others simply require users to download, install, and turn them on.

However, if the software does not work as designed, then your VPN will not work as expected. This article will show you how to unblock the ports for VPN traffic to pass.

How to Unblock Ports for VPN Traffic to Pass-Through

Before we go on, here are a few things you need to know:

Microsoft RRAS server and VPN client works with PPTP, L2TP/IPSec, SSTP and IKEv2 based VPN connections. The PPTP control path runs with TCP, and the data path goes with GRE.

The L2TP tunnel traffic is rendered over an IPSec transport mode, and the IPSec protocol has an inbuilt control path that moves through IKE and data path over ESP. The SSTP control and the data path is over TCP.

The IKEV2 control path is over IKE, and the data path is over ESP.

With this in mind, here are the possible reasons for your VPN traffic being stifled:

  1. If your RRAS based VPN server is behind a firewall (i.e., a firewall is placed between the internet and the RRAS server), the following ports need to be opened (bidirectional) on this firewall to allow VPN traffic to pass through:

For PPTP

    • IP Protocol=TCP, TCP Port number=1723   <- Used by PPTP control path
    • IP Protocol=GRE (value 47)   <- Used by PPTP data path

For L2TP

    • IP Protocol Type=UDP, UDP Port Number=500    <- Used by IKEv1 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=4500   <- Used by IKEv1 (IPSec control path)
    • IP Protocol Type=ESP (value 50)   <- Used by IPSec data path

For SSTP

    • IP Protocol=TCP, TCP Port number=443   <- Used by SSTP control and data path

For IKEv2

    • IP Protocol Type=UDP, UDP Port Number=500    <- Used by IKEv2 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=4500   <- Used by IKEv2 (IPSec control path)
    • IP Protocol Type=ESP (value 50)   <- Used by IPSec data path
  1. If the RRAS server is directly connected to the internet, then you need to protect the RRAS server from the internet side (i.e., only allow access to the services on the public interface that is accessible from the internet side).

This can be done using RRAS static filters or by running Windows Firewall on the public interface (or the interface towards the internet side). In this scenario, the following ports need to be opened (bidirectional) on the RRAS box to allow VPN traffic to pass through unimpeded.

For PPTP

    • IP Protocol=TCP, TCP Port number=1723 <- Used by PPTP control path
    • IP Protocol=GRE (value 47) <- Used by PPTP data path

For L2TP

    • IP Protocol Type=UDP, UDP Port Number=500   <- Used by IKEv1 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=1701 <- Used by L2TP control/data path
    • IP Protocol Type=50 <- Used by data path (ESP)

For SSTP

    • IP Protocol=TCP, TCP Port number=443   <- Used by SSTP control and data path

For IKEv2

    • IP Protocol Type=UDP, UDP Port Number=500   <- Used by IKEv2 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv2 (IPSec control path)
    • IP Protocol Type=UDP, UDP Port Number=1701 <- Used by L2TP control/data path
    • IP Protocol Type=50 <- Used by data path (ESP)

It is important not to run RRAS static filters if the server you are on runs RRAS based NAT router functionality. This is important because these filters are stateless and NAT translation needs stateful edge firewalls like an ISA firewall.

Leave a Comment