dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1271
share rss forum feed


rookieatvpn

@dingstatistics.com

vpn virtual adapter not given ip

How do isps block vpns? It's not a port block because several vpns use multiple ports and different protocols (udp/tcp) Reports on the web state my isp is blocking vpn connections and I cannot connect to any vpn, regardless of it's location,IP address, port used, udp or tcp, etc.


rookieatvpn

@dingstatistics.com
sorry I forgot to give some details. I am running xp(sp3) and using openvpn with these vpn providers. The bottleneck appears to be I am not assigned an IP for the tap virtual adapter. Any informative replies welcomed. Thanks.

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to rookieatvpn
said by rookieatvpn :

It's not a port block because several vpns use multiple ports and different protocols (udp/tcp)

I can tell you right now that two VPNs off the top of my head do not use "multiple ports and different protocols."
Namely IPSec VPN (UDP/500 or UDP/4500) and SSL VPN (TCP/443), and ONLY those ports are used by these protocols, nothing else.
Not exactly rocket science to block either one of those at a layer 3 / layer 4 perspective.

Just to clarify, you're trying to set up an INBOUND connection to open VPN at your home... or connect OUTBOUND
from your home internet to a open VPN setup somewhere else? If the former and you're on a residential internet
package, my understanding is alot of ISPs block alot of the well known ports inbound -- ie. FTP/21, HTTP/80,
HTTPS/443, among others -- through a variety of means. Try "deep packet inspection" on your searchengine of choice.

My 00000010bits

Regards


rookieatvpn

@ubiquityservers.com
Thanks for the reply, Hellfire.

Ok so I am guessing that their offering to connect via tcp or udp on different ports in their software startup menu does not refer to the port being used to connect to the vpn server, but only the outgoing port used on the client side?

This is on an outbound only connection to a public vpn. I am using openvpn.

You said that isps block https/443 for this. I have been told that they cannot do this because it's the same port all ssl connections use and they cannot tell the difference whether it's vpn traffic or email for example.

I suppose deep packet inspection is an option, but I wonder if that has some
disadvantages for the isp? I know it has been used for p2p traffic but I have not read anything about it being used for vpns and I did a google search on it.

cptmikey

join:2013-02-14
Annapolis, MD
reply to rookieatvpn
I can think of a few reasons this would happen. First be sure you are in "Run as Administer" mode. Right click on your shortcut to openVPN and select "Run as Administer". Second you may have created multiple TAPs and openVPN is responding to a "dead" TAP. Go to "device manager" and delete all TAPs then try openVPN again. Lastly you may be assigned a subnet that is already in your network path. That's the primary reason we provide multiple ports. Each one uses a different subnet. You can check this by opening a cmd.exe window and running ipconfig.

If you need more help post your openVPN log. We can tell from that if you are connecting and possibly what your problem is.

sysadmin - portdefender.net

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to rookieatvpn
said by rookieatvpn :

Ok so I am guessing that their offering to connect via tcp or udp on different ports in their software startup menu does not refer to the port being used to connect to the vpn server, but only the outgoing port used on the client

side?

Possibly. Without knowing the exact name of the provider and a copy and/or screenshots of the sofware
in question, it's a bit of a guessing game.

said by rookieatvpn :

This is on an outbound only connection to a public vpn. I am using openvpn.

Okay, thanks for clarifying.

said by rookieatvpn :

I have been told that they cannot do this because it's the same port all ssl connections use and they cannot tell the difference whether it's vpn traffic or email for example. I suppose deep packet inspection is an option, but I wonder if that has some
disadvantages for the isp?

Go look into the OSI network model... TCP/443 is the layer 4 / TRANSPORT layer, HTTP is the layer 7 / APPLICATION
layer. The point I'm trying to make is with deep packet inspection, at a high level the ISP can put in something
with more intelligence than :

"if traffic is from X with port Y, then block" 
 

but rather

"if traffic is from X with port Y and is HTTPS traffic, then permit" else
"if traffic is from X with port Y but is not HTTPS traffic, then block" else
"if traffic is from X with port Y but is something else and going to desination Z, then do A" else
...
...
 

Depending on which side of the desk you sit on, pretty cool, or a pretty big PITA.

Otherwise cptmikey offers some pretty good troubleshooting steps to try at this point, rather than speculate all day.

Regards