Problem with Murus and VPN

Murus
Post Reply
pnoguchi
Posts: 4
Joined: Sun Jun 07, 2015 7:03 am

Problem with Murus and VPN

Post by pnoguchi » Sun Jun 07, 2015 7:16 am

I use a VPN service that uses the Ipsec and PTPP network modules in OSX (I'm on OSX 10.10.3). I installed Murus lite and setup the basic exclusive PF rules. However, now my VPN fails to work. I uninstalled Murus Lite, and immediately without rebooting I was able to activate the VPN.

My Basic question is whether there is a specific rule or port that interacts with a VPN? And if so, how to mitigate this interaction.

I have purchased the Murus Pro, so it would be great if I could use Murus Pro without knocking out my VPN. The VPN is VPN Unlimited, which is inexpensive especially with the liftime version obtained from StackSocial.

Any help would be appreciated.

Regards,
Phil Noguchi

hany
Posts: 443
Joined: Wed Dec 10, 2014 5:20 pm

Re: Problem with Murus and VPN

Post by hany » Sun Jun 07, 2015 4:03 pm

Hi Phil,
you should be able to use VPN clients (as well as servers) with no problem at all provided that you allow the correct services and protocols. Try to put Murus VPN PPTP service to your outbound services and click PLAY in the toolbar to reload rules. It should work. If not, please look at your VPN provider's documentation and see which ports and protocols it uses. You can create a custom service or (much better) issue a custom rule. If you need help doing so please let me know and I will try to assist you.

pnoguchi
Posts: 4
Joined: Sun Jun 07, 2015 7:03 am

Re: Problem with Murus and VPN

Post by pnoguchi » Sun Jun 07, 2015 5:03 pm

Thank you for your quick reply. :D

I have done as your suggested, but my VPN still does not work. The VPN PTPP service and the Dynamic Ports service both have yellow rather than green out port arrows. I also get repeated notifications that say something like "[50268] [Connections Block 17:143.160.221][DYNAMIC PORTS]. See attachment. The number which I surmise is the blocked port keeps changing but is in the 50xxxrange.

I have contacted the supplier of the VPN who replied {VPN Unlimited uses UDP 500, 4500 on Mac OS}. I believe the VPN PPTP service only uses port 1723.

I look forward to your help on crafting a custom rule for this.

-Phil
You do not have the required permissions to view the files attached to this post.

hany
Posts: 443
Joined: Wed Dec 10, 2014 5:20 pm

Re: Problem with Murus and VPN

Post by hany » Sun Jun 07, 2015 5:46 pm

The VPN PTPP service and the Dynamic Ports service both have yellow rather than green out port arrows
why are they yellow? while troubleshooting they should be green. By the way, are you looking at outbound, as you should, or inbound managed services?
I also get repeated notifications that say something like "[50268] [Connections Block 17:143.160.221][DYNAMIC PORTS]
Notifications are for inbound connections. Your problem is with a VPN client, so you have to verify your outbound rules.
I suggest you to disable notifications for inbound dynamics ports, it's normal to have a lot of blocked unsolicited acks.
As far as I know you have to care about Outbound in order for your VPN client to work.
Probably you don't need a custom rule but only a custom service. Anyway I give you both examples, choose the one you prefere

Custom Murus service:
open Murus libraries, click the small gear button above it and create a new custom service from the popup menu. Scroll down you services library, select the new custom service and click the magnifier button to open the configuration popover view. Give it a name, put necessary ports in the ports field, then select esp/gre protocol (not udp). Assuming you have choosen an exclusive approach for your outbound rules (= you have only ALL SERVICES service with a green triangle, the default Murus settings for outbound) now assign this new custom service to Murus outbound services. Click PLAY in the toolbar to udpate runtime rules.

Custom PF Rule:
open Expanded PF Configuration view clicking the double gear button in Murus toolbar. The view will display on the right side of main Murus window. Select the small gear above it to display the custom pf rules popover view. Click the big gear button in the right bottom to open the manual custom rules popover view and type

Code: Select all

pass out proto {esp gre} from any to any 


and click add to add the new rule. This rule allows protocols esp and gre which are usually needed by vpns. Connections to upd 500 and 4500 are already allowed in Murus default configuration and in all exlcusive configurations.
However if you choosed an inclusive approach for outbound then you need a second custom rule:

Code: Select all

pass out proto udp from any to any  port {500 4500} 
let me know :)

pnoguchi
Posts: 4
Joined: Sun Jun 07, 2015 7:03 am

Re: Problem with Murus and VPN

Post by pnoguchi » Sun Jun 07, 2015 8:50 pm

:D Thank you for the detailed help. I am sure I don't quite understand everything you said, but the VPN is now working with Murus active!.

When you designate a Custom service, do the custom rules go with that? I added both rules as you outlined. I think that the PTPP service needed the custom service to open port 500 and 4500, since its default only opens port 1723. the IPsec VPN service opens ports 500, 1701 and 4500. I almost always use the PPTP VPN service rather than the IPsec VPN service, so It seems that your suggestions have fixed the issue.

Thank you for the superb support. :lol:

Phil

hany
Posts: 443
Joined: Wed Dec 10, 2014 5:20 pm

Re: Problem with Murus and VPN

Post by hany » Wed Jun 10, 2015 11:03 am

I am sure I don't quite understand everything you said, but the VPN is now working with Murus active!.
Glad to see that it works :)
When you designate a Custom service, do the custom rules go with that?
no, custom rules are rules added in the Configuration window, using the custom rules popover. (They are represented by a specific icon, please click the info botton on top of Configuration window to display the legenda.)
A custom service creates rules when it is assigned to inbound and/or outbound managed services. These rules are not custom rules, they are services rules. They are represented by their corresponding service's icon.

It is hard for me to say why it works without actually seeing the complete configuration. If you want you can send it to our support email or post it here, I will be happy to have a look at it and try to understand it and explain it :)

enjoy

pnoguchi
Posts: 4
Joined: Sun Jun 07, 2015 7:03 am

Re: Problem with Murus and VPN

Post by pnoguchi » Sun Jun 14, 2015 3:15 am

I appreciate the insightful support you have been providing to a newbie to Murus.

Now that I seem to have the VPN working, I find I have another problem. I read in another thread with avalon your tips on troubleshooting the log and analyzer functions. I find that Murus will autostart on only one of three machines. That one machine does have a pffirewall.log file, but the two machines that don't autostart Murus do NOT have pffirewall.log files :oops: Interestingly the logs analyzer does not have any items in any of its windows, as though the log files are not there.

I have followed your advice on installing the boot scripts on all machines, but still have this hit or miss result. As a first step, where do the boot scripts install, and what do they say? I'm guessing that on the one machine that has the log files and that autostarts Murus will have these files, while the other two machines will not.

I see that understanding PF is an ongoing learning process. Any further suggestions you might have on this issue would be most appreciated.

regards,
Phil

hany
Posts: 443
Joined: Wed Dec 10, 2014 5:20 pm

Re: Problem with Murus and VPN

Post by hany » Wed Jun 17, 2015 4:59 pm

I find that Murus will autostart on only one of three machines. That one machine does have a pffirewall.log file, but the two machines that don't autostart Murus do NOT have pffirewall.log files
Murus Boot Scripts are needed for logging. If you don't install boot scripts (and reboot at least one time) logging won't work. This is because we need the "pflog0" virtual network interface to be up in order to log connections. Boot scripts are responsible for enabling pf AND for setting up everything needed by the logging system.
As a first step, where do the boot scripts install, and what do they say? I'm guessing that on the one machine that has the log files and that autostarts Murus will have these files, while the other two machines will not
See the online Murus manual here, there is a more detailed explanation of how boot scripts work:
http://murusfirewall.com/docs/index.htm ... ootScripts
I'm guessing that on the one machine that has the log files and that autostarts Murus will have these files, while the other two machines will not.
99% correct :)
Actually boot scripts are used to start PF, not to start Murus. Murus is only a GUI. Infact Murus should not automatically run at boot. What you want to run at boot is PF, which will run in background (in the OS X kernel).
Any further suggestions you might have on this issue would be most appreciated.
the only thing you need is to install boot scripts AND reboot at least once.
Then, of course, to see logs you need to set up firewall logging rules, and to make some logged connections. Log file will start populating, and you will be instantly able to see it using OS X Console.app, Murus Logs Visualizer or the shell terminal.

attis
Posts: 1
Joined: Sun Feb 25, 2018 9:55 pm

Re: Problem with Murus and VPN

Post by attis » Sun Feb 25, 2018 10:13 pm

hello hany, Murus team,

I've got the same issue like pnoguchi in 2015. I've followed the logic above creating an outgoing rule for IPSec - beside the built-in "ALL SERVICES".
The problem is, it still not let out the ESP despite the "VPN L2TP" added to outbound (and inbound too):
murus_out_esp.png
In Wireshark, it Murus us running, the ESP outgoing connection is not possible, just UDP 4500 is happening. Switching of Murus, ESP can go out and the IPSec connection successfully created and runs till I switch off.

What's the solution? Tested with Murus v1.4.11 & v1.4.16.

Attis
You do not have the required permissions to view the files attached to this post.

Post Reply