The provider modem can be a problem if the network you want to connect to is behind another router downstream. Some have the option to set a passthru for VPN but not all. You can configure the modem as a bridge which disables the modem as a network controller. This may work for some cases but needs careful planning if you have an existing network using the default modem governed network.
I’ve found both Verizon and Comcast business modem/routers have a DMZ option which exposes one internal machine to the public network and this works to put the router on the external network interface. However, the T-mobile 5G home connection will not connect in this configuration even though Verizon home Fios and many others work just fine.
The best option I’ve found is to forward ports 500 and 4500 to the internal Edge X router. I found these using Wireshark. I’m sure they are documented somewhere. Port 500 is initially used when connecting to the Edgerouter thru the firewall but shifts to port 4500 after initial contact. Forwarding eliminates the killer conflict between T-Mobil and Comcast modems when using the Comcast option to expose an internal machine.
There are a bunch of settings in Win10/11 that need to be modified to connect to an EdgeRouter X which were covered in individual prior posts. I just had to setup 2 more machines and realized I need to collect them in one post. Here they are without background reference which can be found in earlier posts.
Problem
Just switched from Verizon to T-Mobile 5G internet connection and the VPN fails. Other users have Comcast or Verizon 5G and there is no problem. After a year of trying, T-mobile 5G does not permit user to make changes necessary to get it working.
Create VPN connection
In VPN properties, select Security tab. Under Allow These protocols, check CHAP and MS-CHAP v2
Also important, in the VPN properties, enter the domain suffix to use. If you don’t, the VPN will connect but get all sorts of errors. The telling one is if you try to browse a remote file, you get an error message stating you are not allowed to login from this location. Also, remote desktop connects to target but then quits instead of logging in.
Turn off UDP for client From command line as administrator or PowerShell as administrator run the following
Registry edit for Windows firewall REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f
Add FQDN for remote DNS lookup Search for and open Control Panel > Network and Sharing Center >Change Adapter Settings > select Ethernet connection (not VPN) & right click > select properties > select IPV4 > select properties > select advanced button > select DNS tab > select button ‘Append these DNS suffixes’ > select Add > enter the correct suffix for the remote domain.
Remote Gateway In the VPN network connection, under properties select the Networking tab, select IPv4 properties. General tab appears, select advanced, on IP settings make sure Use Default Gateway on Remote Network is checked. If unchecked it can cause DNS lookup problems to the remote computers depending on priority settings of the VPN vs. Ethernet connections. If you can find them by IP address but not name with this unchecked, priority settings are the issue. Split tunneling is the same as unchecking this box.
Set split tunneling Get-VPNConnection Look for SplitTunneling status: false by default Set-VPNConnection -Name “VPNname” -SplitTunneling $True Quotes around VPN name are required
If split tunneling is true, the remote gateway is not set. This causes problems with finding the remote computers. You can find them by IP address but not name. The fix for this while keeping split tunneling is to reduce the priority number for the VPN and increase it for the Ethernet connection. This forces name resolution to use the VPN DNS first then the external DNS if it can’t find the name locally. It works for browsing external web sites but seems to have occasional difficulty with ads on some pages slowing the response or failing to finish loading.
Well covered in several YouTube videos but there are a lot to choose from and many aren’t quite what is needed. Save search time. This one is the best of many I’ve watched and actually was able to use the instructions to configure and it worked the first time. Instructions for the firewall changes start at 7:30. The command line instructions are in the notes immediately under the video on the YouTube page. Config-tree GUI is good for updating the configuration when you add users.
Allowing VPN connection thru a router/modem.
The provider modem can be a problem if the network you want to connect to is behind another router downstream. Some have the option to set a passthru for VPN but not all. You can configure the modem as a bridge which disables the modem as a network controller. This may work for some cases but needs careful planning if you have an existing network using the default modem governed network. I’ve found both Verizon and Comcast routers have a DMZ option which exposes one internal machine to the public network and this works to put the router on the external network interface.
The best option I’ve found is to allow ports 500 and 4500 forwarding to the internal Edge X router. I found these using Wireshark. I’m sure they are documented somewhere. Only port 500 is used when connecting directly to the Edgerouter but forwarding thru the Comcast modem/router in between has the conversation shift to port 4500 after initial contact. Forwarding eliminates a killer conflict between T-Mobil and Comcast modems when using the Comcast option to expose an internal machine.
Win 10 VPN setup problems.
The wizard in the settings panel will setup the basic VPN connection but it omits an important setting that is accessed thru the control panel. However, the same setup on an Android device works immediately. There are 2 sites covering the same information. The YouTube is longer but explains more on how to access the setting. The web page is simple and to the point but has the additional registry change that is needed if you are behind a firewall at another location.
The second problem is that UDP responses aren’t handled properly in Windows 10. The result is the connection hesitates, locks up or slows down to the point of being useless. There is a registry edit to fix the issue. REG ADD “HKLM\software\policies\microsoft\windows nt\Terminal Services\Client” /v fClientDisableUDP /d 1 /t REG_DWORD This is covered in more detail in another post.
Jerry's blog 