Unable to connect from outside network

[gizmobrat]

Hello,

I am currently unable to connect to my VPN from a outside network. I am able to connect locally, this leads me to believe that I am having a Firewall configuration issue. I have attached the ports I have set up on my Linksys router. My IP address is IPv6 from my ISP and a IPv4 internally. I have attempted to connect with the fire wall being disabled on my Windows 10 computer. I am using the Dynamic DNS service included in softether. I have also enable antonymous authentication to troubleshoot. The server has both Softether and the ports for the routed allowed through firewall in inbound and outbound rules. I would apricate any help.

[eddiewu]

For IPv4 connections, does your router has a public IPv4 address?
For IPv6 connections, have you allowed external access in the router?

[gizmobrat]

I do not have a public facing IPv4 IP address as the ISP does not provide one. The router has IPv6-Automatic enabled by default. I also do not have SecureNAT enabled, let me know if I need to look into this.

[eddiewu]

OK.
Then for IPv4, your remaining options are:
1. NAT traversal (not working on some network due to incompatible NAT types)
2. VPN azure (slow because traffic will be relayed from servers in Japan)
In both cases firewall rules are not needed. They are for public facing routers.

For IPv6 the direct connection is always possible as long as the router allows external access / forwarding. Find that in your router's firewall settings.

[gizmobrat]

As I am a noob with IPv6, is the option I am looking for IPv6 Tunneling?

[eddiewu]

Tunneling does not sound right. But I don’t know about your router.
Try pinging the server’s IPv6 address from the internet as you are looking for the right option. Also disable windows firewall first.

[gizmobrat]

I am using a linksys MR7350. I have attached screenshots of most of my configs. I am unable to ping the server from a laptop connected to my phone's hotspot.

[gizmobrat]

Next set of screenshots

[gizmobrat]

I want to thank you for your help with this.
Here is the next set of screenshots.

[eddiewu]

First, I saw you have setup IPv6 port forwarding to some IPv6 address. I am not sure how linksys works but specifying some specific IPv6 address is usually problematic because Windows computers have more than one IPv6 address and may change from time to time.
Can you try not specifying the IPv6 address when creating a rule?
Second, you may also want to give the option Filter Anonymous Internet requests a try. I can't figure out what it exactly does but it looks suspicious.
The third option is turning IPv6 SPI firewall off.

Forget about the ping. TCP port forwarding may work while ping (ICMP) does not.

[gizmobrat]

I have Tired connecting with no Firewalls enabled and I still have failed, so I might have a config error.

Server Configs
Dynamic DNS I have a global IPv6, an Assigned Dynamic DNS hostname, and no global IPv4. A local bridge from the VPN hub to the ethernet adaptor, NO layer 3 switch, No VPA Azure, L2TP enabled, VPN gate disabled, Open VPN and MS-SSTP disabled. Encryption is AES256-SHA with a self signed cert, and using keepa;ive.softether.org over UDP.

Hub Configs:
I have a user with no password (For testing)
NO groups
NO Access lists
NO authentication server
No cascade connections
No SecureNat

Do I need a static route to reach the virtual hub on my router? If there is a way to send the config file without posting it public I would be down to do that if it will help you.

[eddiewu]

What protocol are you using? L2TP?
Most L2TP clients do not support IPv6 including Android and iOS built-in clients. Windows L2TP does support IPv6.

[gizmobrat]

I have it set to use port 443 with Direct TCP/IP connection and the assigned XX.softether.net address. It works on the local network.

[eddiewu]

OK. I don't think there is any configuration problem on the server since you can connect it locally.
The issue is in the router's firewall.
You said you have disabled the firewall but I am not sure how. Have you tried all options I mentioned?
There is an easy way to test. Open any browser to https://vpnxxxxxx.softether.net (v4/v6) or https://vpnxxxxx.v6.softether.net (v6 only) and see if you can get a certificate error page. If you get only timeout, the firewall is blocking it.

[gizmobrat]

To confirm the DNS will be VPNSUBDOMAINHER.softether.net?

[eddiewu]

It's the same hostname as you enter in the vpn client.

[gizmobrat]

Using the host name I am getting a Time out DNS error so it is an issue with the Firewall. I have disable the Firewall on the Windows 10 server (Windows 10 Pro with AMD CPU), and have set the Firewall to the following.

Untitled.png

I have also forwarded the ports for the local IPv4 network.

[eddiewu]

OK. Try this.
Let's say the server has a temporary IPv6 address x:x:x:x:x:x:x:x and you have created a firewall rule under Ipv6 port services.
Open browser and enter https://[x:x:x:x:x:x:x:x]:443 or https://[x:x:x:x:x:x:x:x]:1194, what do you get?

[gizmobrat]

I get a SoftEther VPN Server / Bridge page using the IPv6 adress:443 address.

[gizmobrat]

Reenabling the firewalls also allows me to connect to the landing page.

[eddiewu]

It seems the firewall rule you added is working. You should also be able to connect using that address from the vpn client.
The reason that the actual address works while the DDNS hostname does not might be that the DDNS resolves to another address not in the rule. As I said Windows has several IPv6 addresses.
However fixing the address in the firewall rule is not a long-term solution because the address is volatile. You still need to find out how to disable firewall in ipv6.

[gizmobrat]

So under host name on the client use the global IP address address https://[x:x:x:x:x:x:x:x] for the host name? s I now get error code 1. Can I just say I hate IPv6 or at least it's half ass implementation?

[eddiewu]

You don't need the https://[] wrapper in the vpn client. Just replace the ddns hostname with the actual address.

[gizmobrat]

I can connect on my local network to the VPN using the IPv6 address. However, using my phone's hotspot I get a time out error.

[eddiewu]

That's weird. You should not get a timeout with vpn client but not with browser, if the destination address is the same.

[gizmobrat]

I am getting error code 1 on the client. Could it be the phone Hot spot?

[gizmobrat]

When I am on my phone's wifi I am unable to connect to the server from the browser.

[eddiewu]

So what network did you use when you opened the vpn server console from the browser? Doing from the local network does not mean anything.

[gizmobrat]

It might be I am out of data. Going to see if a family member can remote in.

[gizmobrat]

I have verified that outside users are unable to connect

[eddiewu]

So the firewall is still blocking. I can't help you further since I do not know how linksys works.

[gizmobrat]

Thank you for your help anyways. Going to talk the boss into getting a router that has VPN built in.

[auspiciouszesty]

I'm new to IPv6, so is IPv6 Tunneling the solution I'm searching for?gmail