PDA

View Full Version : VPN over port other than 1723



=?iso-8859-1?q?Tom=E1s_=D3_h=C9ilidhe?=
02-08-08, 12:54 PM
I'm working on a network at the moment where there's a firewall in
place that blocks outgoing TCP segments unless their destination port is
80 or 443 (the ports assigned to HTTP and HTTPS).

I want to access a VPN, and, so, obviously I'll have to access it
over port 80 or 443 somehow.

The VPN I'm trying to access is a private network where all the
machines have private addresses (e.g. 10.*), but the router that they're
behind performs NAT in order to enable the machines to access the
internet via TCP and UDP.

The router's NAT has an option whereby it can accept a TCP segment on
the WAN on TCP port 80, and forward it to TCP port 1723 on the LAN,
meaning I don't need a special VPN daemon that can listen on ports other
than 1723. Hurray for that.

I'm running Windows XP on the VPN server, and also on the client that
wants to connect. The problem, however, is that the built-in Windows XP
VPN _client_ application won't let met specify a different port.

The list of possible solutions, I think, are:

1) Find the .exe/.dll for the Windows VPN client, go thru it with a
HexEditor and replace 1723 with 443. So does anyone know what file this
is. . ?

2) Use a different VPN client application (possibly in conjunction with
a different VPN daemon application). Can anyone suggest a good one?

Or if there's any other ideas, please throw them out there!

--
Tomás Ó hÉilidhe

Howard Johnson
02-09-08, 12:01 AM
In article <Xns9A3EC04D1C356toelavabitcom@194.125.133.14>,
Tomás Ó hÉilidhe <toe@lavabit.com> wrote:
>
> I'm working on a network at the moment where there's a firewall in
>place that blocks outgoing TCP segments unless their destination port is
>80 or 443 (the ports assigned to HTTP and HTTPS).
>
> I want to access a VPN, and, so, obviously I'll have to access it
>over port 80 or 443 somehow.

> The list of possible solutions, I think, are:
>
>1) Find the .exe/.dll for the Windows VPN client, go thru it with a
>HexEditor and replace 1723 with 443. So does anyone know what file this
>is. . ?

That won't work even if you do what you describe. The Microsoft VPN
client uses port 1723 for the control channel only; a different IP
protocol (not TCP and not UDP) is used for the data channel.

>2) Use a different VPN client application (possibly in conjunction with
>a different VPN daemon application). Can anyone suggest a good one?

See http://openvpn.net for free VPN software that does this. Look for
proto tcp-client and proto tcp-server configuration parameters to do
what you want. Port 443 has the best chance of working. The default
proto udp works better when it can be used, but it probably won't work
in your situation.

You will also want to confirm that the people running the local LAN permit
the use of VPN clients on their network.

=?iso-8859-1?q?Tom=E1s_=D3_h=C9ilidhe?=
02-09-08, 07:42 AM
Howard Johnson:


> That won't work even if you do what you describe. The Microsoft VPN
> client uses port 1723 for the control channel only; a different IP
> protocol (not TCP and not UDP) is used for the data channel.


Are you certain that we need to accomodate a different Transport
Layer protocol? I set up a VPN daemon on my machine at home which has a
private IP address (e.g. 10.*). I then went into my router settings at
home and configured NAT to forward TCP segments whose destination port
is 1723 from the WAN to my home machine which is running the VPN daemon.

I then went to a friend's house and tried to connect to my VPN at
home and it worked perfectly. Seeing as how my router's NAT only
forwards TCP and UDP, how could it be that we need to accomodate a
different Layer 4 protocol (keeping in mind that I've already gotten it
to work perfectly)?


> See http://openvpn.net for free VPN software that does this. Look for
> proto tcp-client and proto tcp-server configuration parameters to do
> what you want. Port 443 has the best chance of working. The default
> proto udp works better when it can be used, but it probably won't work
> in your situation.


But isn't UDP designed for stuff like streaming audio where it's best to
ignore dropped packets and move on? Since TCP is designed for reliable
transmission, would it not be better to use TCP rather than UDP?

Thanks for the reply, I'm going to give openvpn.net a shot.

--
Tomás Ó hÉilidhe

=?iso-8859-1?q?Tom=E1s_=D3_h=C9ilidhe?=
02-11-08, 04:39 PM
Just to give an update, I got everything working perfectly by using
OpenVPN. I have a "tap" interface (as opposed to "tun") which encapsulates
Ethernet rather than just encapsulating IP. The result is that it's as if
I've got a cable running back to my house and into my network switch; I
even get my IP address from my broadband router's DHCP server!

If anyone's curious as to how I got it going then just give me a shout
and I'll send you my OpenVPN config files.

--
Tomás Ó hÉilidhe

Howard Johnson
02-16-08, 11:46 AM
In article <Xns9A3F8B7A5DA7Atoelavabitcom@194.125.133.14>,
Tomás Ó hÉilidhe <toe@lavabit.com> wrote:
>Howard Johnson:
>
>
>> That won't work even if you do what you describe. The Microsoft VPN
>> client uses port 1723 for the control channel only; a different IP
>> protocol (not TCP and not UDP) is used for the data channel.
>
>
> Are you certain that we need to accomodate a different Transport
>Layer protocol? I set up a VPN daemon on my machine at home which has a
>private IP address (e.g. 10.*). I then went into my router settings at
>home and configured NAT to forward TCP segments whose destination port
>is 1723 from the WAN to my home machine which is running the VPN daemon.
>
> I then went to a friend's house and tried to connect to my VPN at
>home and it worked perfectly. Seeing as how my router's NAT only
>forwards TCP and UDP, how could it be that we need to accomodate a
>different Layer 4 protocol (keeping in mind that I've already gotten it
>to work perfectly)?

I know that's the case with PPTP, but L2TP may be able to use TCP or UDP.
Also, some routers "know" how to handle these protocols. I don't trust
things to "just work"; I have to read the details carefully.

>> See http://openvpn.net for free VPN software that does this. Look for
>> proto tcp-client and proto tcp-server configuration parameters to do
>> what you want. Port 443 has the best chance of working. The default
>> proto udp works better when it can be used, but it probably won't work
>> in your situation.
>
>
>But isn't UDP designed for stuff like streaming audio where it's best to
>ignore dropped packets and move on? Since TCP is designed for reliable
>transmission, would it not be better to use TCP rather than UDP?

Yes, but you typically run TCP over that UDP channel. You can run TCP
over TCP, but the overhead can cause problems on lossy connections.

>Thanks for the reply, I'm going to give openvpn.net a shot.

Intuitive
02-18-08, 04:47 AM
Even if you change the port number; you will still need to have GRE
running over the border router.

Without it, PPTP won't work :-)


Tomás Ó hÉilidhe wrote:
> I'm working on a network at the moment where there's a firewall in
> place that blocks outgoing TCP segments unless their destination port is
> 80 or 443 (the ports assigned to HTTP and HTTPS).
>
> I want to access a VPN, and, so, obviously I'll have to access it
> over port 80 or 443 somehow.
>
> The VPN I'm trying to access is a private network where all the
> machines have private addresses (e.g. 10.*), but the router that they're
> behind performs NAT in order to enable the machines to access the
> internet via TCP and UDP.
>
> The router's NAT has an option whereby it can accept a TCP segment on
> the WAN on TCP port 80, and forward it to TCP port 1723 on the LAN,
> meaning I don't need a special VPN daemon that can listen on ports other
> than 1723. Hurray for that.
>
> I'm running Windows XP on the VPN server, and also on the client that
> wants to connect. The problem, however, is that the built-in Windows XP
> VPN _client_ application won't let met specify a different port.
>
> The list of possible solutions, I think, are:
>
> 1) Find the .exe/.dll for the Windows VPN client, go thru it with a
> HexEditor and replace 1723 with 443. So does anyone know what file this
> is. . ?
>
> 2) Use a different VPN client application (possibly in conjunction with
> a different VPN daemon application). Can anyone suggest a good one?
>
> Or if there's any other ideas, please throw them out there!
>

.
02-22-08, 02:51 AM
On 18 Feb, 10:47, Intuitive <jason_tom...@hotmail.com> wrote:
> Even if you change the port number; you will still need to have GRE
> running over the border router.
>
> Without it, PPTP won't work :-)
>
> Tomás Ó hÉilidhe wrote:
> > I'm working on a network at the moment where there's a firewall in
> > place that blocks outgoing TCP segments unless their destination port is
> > 80 or 443 (the ports assigned to HTTP and HTTPS).
>
> > I want to access a VPN, and, so, obviously I'll have to access it
> > over port 80 or 443 somehow.
>
> > The VPN I'm trying to access is a private network where all the
> > machines have private addresses (e.g. 10.*), but the router that they're
> > behind performs NAT in order to enable the machines to access the
> > internet via TCP and UDP.
>
> > The router's NAT has an option whereby it can accept a TCP segment on
> > the WAN on TCP port 80, and forward it to TCP port 1723 on the LAN,
> > meaning I don't need a special VPN daemon that can listen on ports other
> > than 1723. Hurray for that.
>
> > I'm running Windows XP on the VPN server, and also on the client that
> > wants to connect. The problem, however, is that the built-in Windows XP
> > VPN _client_ application won't let met specify a different port.
>
> > The list of possible solutions, I think, are:
>
> > 1) Find the .exe/.dll for the Windows VPN client, go thru it with a
> > HexEditor and replace 1723 with 443. So does anyone know what file this
> > is. . ?
>
> > 2) Use a different VPN client application (possibly in conjunction with
> > a different VPN daemon application). Can anyone suggest a good one?
>
> > Or if there's any other ideas, please throw them out there!
http://secure-vpn.com/
this site offer l2tp pptp and openvpn accounts over 3 server CA-DE-
USA!!

DesiredForsome
02-26-08, 08:34 PM
ok i cant seem to figure any of this out and i have read the stuff is there a video somewhere or a config file i can be sent because this is all very confusing im trying to integrate a open source vpn software into my software and i belive this is it however i cant figure it out
thank you

sixpackbud
08-21-08, 05:25 AM
Just to give an update, I got everything working perfectly by using
OpenVPN. I have a "tap" interface (as opposed to "tun") which encapsulates
Ethernet rather than just encapsulating IP. The result is that it's as if
I've got a cable running back to my house and into my network switch; I
even get my IP address from my broadband router's DHCP server!

If anyone's curious as to how I got it going then just give me a shout
and I'll send you my OpenVPN config files.

--
Tomás Ó hÉilidhe

Hi Tomás,

I am in the same situation as you where. Please send me your config files to help me out easily.

Thanks
/Sixpackbud

olibi
08-19-09, 02:56 AM
Hi. I've been playing around some with this, and would appreciate the config files.

Gustav
08-10-11, 06:31 AM
I've got a home network which I want to access on a different port, so where can I grab your config files?
Many thanks

Gustav
----


Just to give an update, I got everything working perfectly by using
OpenVPN. I have a "tap" interface (as opposed to "tun") which encapsulates
Ethernet rather than just encapsulating IP. The result is that it's as if
I've got a cable running back to my house and into my network switch; I
even get my IP address from my broadband router's DHCP server!

If anyone's curious as to how I got it going then just give me a shout
and I'll send you my OpenVPN config files.

--
Tomás Ó hÉilidhe

CYBER MATRIX
06-28-12, 05:44 AM
could i please have the the openVPN config files - and if i can how do i get them.

getmet
05-28-13, 12:17 PM
Just to give an update, I got everything working perfectly by using
OpenVPN. I have a "tap" interface (as opposed to "tun") which encapsulates
Ethernet rather than just encapsulating IP. The result is that it's as if
I've got a cable running back to my house and into my network switch; I
even get my IP address from my broadband router's DHCP server!

If anyone's curious as to how I got it going then just give me a shout
and I'll send you my OpenVPN config files.

--
Tomás Ó hÉilidhe


Could you send me the config files too? I am trying to connect to a server from my other site but I want to use 443 on the remote end to connect to my server. do i need to give u my email add?