How is VPN server listening through the firewall
-
- Posts: 6
- Joined: Tue Mar 16, 2021 4:53 am
How is VPN server listening through the firewall
Hello
I cannot understand how the Softether server can listen for incoming connections through a firewall with no open ports.
Excuse my ignorance of the topic. I feel I need to understand this better before I can trust the software. For example, if it is able to listen through a firewall, what stops malicious traffic from coming through that same openining?
thank you in advance.
I cannot understand how the Softether server can listen for incoming connections through a firewall with no open ports.
Excuse my ignorance of the topic. I feel I need to understand this better before I can trust the software. For example, if it is able to listen through a firewall, what stops malicious traffic from coming through that same openining?
thank you in advance.
-
- Posts: 477
- Joined: Tue Sep 11, 2018 5:58 pm
Re: How is VPN server listening through the firewall
You are correct! :)
It must be on public IP or if behind router it must forward ports - incoming messages
It must be on public IP or if behind router it must forward ports - incoming messages
-
- Posts: 286
- Joined: Wed Nov 25, 2020 9:10 am
Re: How is VPN server listening through the firewall
The technique is called NAT traversal, or more specifically, UDP hole punching. Google it.
The process has to be bi-directional. Client and server are sending packets to each other at the same time (server learns the client's IP from an external NAT-T server). Firewall will generally allow this kind of UDP traffic.
That is to say, a malicious piece of software needs to have an "insider" in order to get through the firewall. To SE client, SE server is that insider.
By the way, this feature can be turned off with an option called DisableNatTraversal.
-
- Posts: 477
- Joined: Tue Sep 11, 2018 5:58 pm
Re: How is VPN server listening through the firewall
You still need at least one server on public ip
-
- Posts: 6
- Joined: Tue Mar 16, 2021 4:53 am
Re: How is VPN server listening through the firewall
Thank you all for your responses.
BTW, i have the systems set up and working, i am just trying to understand it better.
I am not sure how i feel about the nat-traversal just yet. I have been trying to find out how to disable it and just open the ports to the specific server IP.
Can anyone tell me where to disable the nat-traversal. I cant find in the manual or in the interface.
Also, does anyone have any re-assurances on the safety of nat-traversal?
thanks
BTW, i have the systems set up and working, i am just trying to understand it better.
I am not sure how i feel about the nat-traversal just yet. I have been trying to find out how to disable it and just open the ports to the specific server IP.
Can anyone tell me where to disable the nat-traversal. I cant find in the manual or in the interface.
Also, does anyone have any re-assurances on the safety of nat-traversal?
thanks
-
- Posts: 286
- Joined: Wed Nov 25, 2020 9:10 am
Re: How is VPN server listening through the firewall
That won't be necessary with DDNS.
As I said, there is an option called DisableNatTraversal. Find it in the vpn config file and change the value to true.
With NAT-T, you do not need to open any ports, but instead you send your address to an external server (managed by University of Tsukuba) and the connection is not guaranteed. It's not working on some complicated NAT network.
By opening the port, you expose your server to the whole internet, but you are not relying on any external server and you don't need to trust them.
Which way is more secure depends on your usage and of course your knowledge. There is always risk to operate a server.
-
- Posts: 1304
- Joined: Sun Feb 14, 2021 10:31 am
Re: How is VPN server listening through the firewall
In the manual...
and the interfaceYou can disable the NAT Traversal function on your VPN Server by switching the value of "DisableNatTraversal" to "true" in the VPN Server's configuration file.
.
Did you ask Skype, whatsapp, countless other messengers and apps before using them? They function thanks to NAT Traversal.
You do not have the required permissions to view the files attached to this post.
-
- Posts: 477
- Joined: Tue Sep 11, 2018 5:58 pm
Re: How is VPN server listening through the firewall
And what is the purpose of DDNS? Though I do not know details it is a "magicbox" that must sit on public IP otherwise no way to establish
communication between two points behind routers... (and I doubt DDNS is enough? - it must have a function to forward some sort of messages between the two points, but it primary function is something completely different)
If you explain how DDNS can tell two points where they are I would like to learn something..
Yes, I know about Azure, this can work because then two points are two clients and Azure is server - sitting on public IP
About complicated networks I myself have made also discovery, see result of this thread:
https://www.vpnusers.com/viewtopic.php?f=7&t=66579
So, the best is to have own server sitting on legacy public IP address!
-
- Posts: 286
- Joined: Wed Nov 25, 2020 9:10 am
Re: How is VPN server listening through the firewall
DDNS tracks the public IP of the node.
NAT-T server relays connection information (i.e. address, port).
When a client connects to a server behind some firewall with no port being forwarded, it resolves the DDNS hostname to IP, and send its address and port to NAT-T server, which relays the information to server side and passed back the server's address and port. Then the client and server establishes direct connection.
The tricky part is this generally works for UDP only.
Therefore for TCP there is VPN azure, which not only relays metadata but also the whole traffic.
NAT-T server relays connection information (i.e. address, port).
When a client connects to a server behind some firewall with no port being forwarded, it resolves the DDNS hostname to IP, and send its address and port to NAT-T server, which relays the information to server side and passed back the server's address and port. Then the client and server establishes direct connection.
The tricky part is this generally works for UDP only.
Therefore for TCP there is VPN azure, which not only relays metadata but also the whole traffic.