blog.plee.me About software, technology and random things

20May/120

Making Traceroutes Work with a Firewall (Windows)

Hi!

Even though I've had software firewalls in action for years now, I haven't really come across too many instances where I'd need traceroutes. The few times I did, however, I noticed that I only got output like the following:

>tracert example.com

Tracing route to example.com [123.123.123.123]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11    50 ms    50 ms    50 ms  example.com [123.123.123.123]

Trace complete.

The number of hops would of course vary for the specific host / IP address.

Today I had to use traceroute in order to analyze a couple of networking problems. That was the incentive I needed to look up why it didn't work.

The fact that not even my router was showing up was a big indicator that something was wrong with my local firewall settings.

After searching the web for a couple of minutes, I found out what I was looking for at this page: http://www.phildev.net/ipf/IPFques.html#ques34

Traceroute is using ICMP packets (plus UDP on Linux systems, but that's outside the scope of this blog entry. You can read more about it on the page I linked above). But even for an outgoing traceroute you need to accept incoming ICMP packets.

Which ones? These:

  • ICMP TTL Expired (Type 11, Code 0)
  • ICMP Port Unreachable (Type 3, Code 3)

Once you've enabled these types of packets for incoming traffic in your firewall(s), you'll see that your traceroute will now function as it should.

If your firewall does not allow you to configure accepting specific types of ICMP packets, try allowing incoming ICMP packets altogether (if that's not too much of a compromise for you).

Anyway, long-ish story short: It's working now 🙂

Thanks to the webmaster of the page I linked above! And thanks to you for reading.

13Oct/090

OpenVPN on Windows Vista / 7 – Ping says: TTL expired in transit

Hi there!

When I set up my VPN with OpenVPN yesterday, I found out about a little difficulty under Windows Vista and 7. Thankfully it was not that much of a hurdle as the UAC was the reason for this bug just like for a series of other bugs with different software I experimented with over the last few weeks. Nevertheless I hope that this piece of information helps you get rid of the following problem.

If you have set up your VPN and got it running without any major problems, and everything seems to be running just fine (connecting works), but you still can't establish connections to the other machines, you might find that pinging returns the error message "TTL expired in transit". This is due to the fact that Vista (or Windows 7) needs administrator privileges to adjust your computer's settings properly in order to function when you've connected to the VPN successfully. I think it's about the route.exe process, but I'm not 100% sure.

Windows Vista and 7 have the equally famous as infamous UAC (User Account Control) that prevents even administrator privileged accounts from executing programs with administrator rights by default. In order to enable these rights you have to right-click the program (or program shortcut) and click on "Run as administrator" next to the yellow-blue shield if it does not run with administrator rights exclusively anyway (in which case you'd see the yellow-blue shield in the bottom right corner of the program icon itself and would be asked for administrator privileges automatically when you launch it as any other program).

Please note that the following steps are for on-demand OpenVPN connections. For automatic connections, read further below.

OpenVPN on-demand connection

So what you need to do is launch the connection with UAC. But how do you do that if you usually launch OpenVPN connections with a right-click and "Start OpenVPN on this config file"? Even creating a shortcut to the .ovpn file doesn't give you the "Run as administrator" option.

A simple solution is to create a batch file that simply changes to the work directory and executes .ovpn with the openvpn.exe.

Example file "ovpn_connection1.bat":

@echo off
D:
cd \Programs\OpenVPN\config-ondemand\
D:\Programs\OpenVPN\bin\openvpn.exe D:\Programs\OpenVPN\config-ondemand\connection1.ovpn

This batch file has the following parameters/assumptions:

  • Your OpenVPN dir is on the D: partition (otherwise change the drive letter in the respective paths and leave the "D:" line out altogether).
  • The path to your OpenVPN dir is D:\Programs\OpenVPN.
  • Your connection configuration file is located in the config-ondemand subdirectory.

Basically, you just switch to the work directory and execute OpenVPN's openvpn.exe located in its bin dir on the configuration. In a way, this works as a shortcut, but just as an executable batch.

The @echo off part is just so that you won't see the other commands displayed in the window each time you start the connection.

Now you either make a shortcut to this batch file or use it itself.

Whenever you want to start the connection, right-click on it and select "Run as administrator".

Done! Test your ping and it should be fine.

OpenVPN automatic connection

All you need to do is to move the .ovpn configuration file and all the other required files into the config subdirectory of your OpenVPN installation.

When the OpenVPN service (Start => Run => services.msc) is started, it will look for .ovpn files in its config subdirectory and execute them all - with SYSTEM privileges. No UAC circumvention needed.

So just set your OpenVPN service to "Automatic" and you're good to go!

OpenVPN on-demand connection with OpenVPN service

Just do what is described under the "OpenVPN automatic connection" paragraph except for setting the service to "Manual".

Now each time you want to launch the connection, you just need to type "net start OpenVPNService". To stop it, type "net stop OpenVPNService".

Note on using connections with the OpenVPN service

As the OpenVPN service feature executes *all* .ovpn configuration in the config subdirectory, there is no way to manually interfere with one particular connection of that directory and let's say disable it shortly. All config-connections are handled as a group with the OpenVPN service.

So if you need manual independency, look at the on-demand section.

I hope this wasn't all too fuzzy with the wordings and such.

Please comment or contact me if you have any questions on this matter.

Thanks for reading!