The provider modem can be a problem if the network you want to connect to is behind another router downstream. Some have the option to set a passthru for VPN but not all. You can configure the modem as a bridge which disables the modem as a network controller. This may work for some cases but needs careful planning if you have an existing network using the default modem governed network.
I’ve found both Verizon and Comcast business modem/routers have a DMZ option which exposes one internal machine to the public network and this works to put the router on the external network interface. However, the T-mobile 5G home connection will not connect in this configuration even though Verizon home Fios and many others work just fine.
The best option I’ve found is to forward ports 500 and 4500 to the internal Edge X router. I found these using Wireshark. I’m sure they are documented somewhere. Port 500 is initially used when connecting to the Edgerouter thru the firewall but shifts to port 4500 after initial contact. Forwarding eliminates the killer conflict between T-Mobil and Comcast modems when using the Comcast option to expose an internal machine.
There are a bunch of settings in Win10/11 that need to be modified to connect to an EdgeRouter X which were covered in individual prior posts. I just had to setup 2 more machines and realized I need to collect them in one post. Here they are without background reference which can be found in earlier posts.
Problem
Just switched from Verizon to T-Mobile 5G internet connection and the VPN fails. Other users have Comcast or Verizon 5G and there is no problem. After a year of trying, T-mobile 5G does not permit user to make changes necessary to get it working.
Create VPN connection
In VPN properties, select Security tab. Under Allow These protocols, check CHAP and MS-CHAP v2
Also important, in the VPN properties, enter the domain suffix to use. If you don’t, the VPN will connect but get all sorts of errors. The telling one is if you try to browse a remote file, you get an error message stating you are not allowed to login from this location. Also, remote desktop connects to target but then quits instead of logging in.
Turn off UDP for client From command line as administrator or PowerShell as administrator run the following
Registry edit for Windows firewall REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f
Add FQDN for remote DNS lookup Search for and open Control Panel > Network and Sharing Center >Change Adapter Settings > select Ethernet connection (not VPN) & right click > select properties > select IPV4 > select properties > select advanced button > select DNS tab > select button ‘Append these DNS suffixes’ > select Add > enter the correct suffix for the remote domain.
Remote Gateway In the VPN network connection, under properties select the Networking tab, select IPv4 properties. General tab appears, select advanced, on IP settings make sure Use Default Gateway on Remote Network is checked. If unchecked it can cause DNS lookup problems to the remote computers depending on priority settings of the VPN vs. Ethernet connections. If you can find them by IP address but not name with this unchecked, priority settings are the issue. Split tunneling is the same as unchecking this box.
Set split tunneling Get-VPNConnection Look for SplitTunneling status: false by default Set-VPNConnection -Name “VPNname” -SplitTunneling $True Quotes around VPN name are required
If split tunneling is true, the remote gateway is not set. This causes problems with finding the remote computers. You can find them by IP address but not name. The fix for this while keeping split tunneling is to reduce the priority number for the VPN and increase it for the Ethernet connection. This forces name resolution to use the VPN DNS first then the external DNS if it can’t find the name locally. It works for browsing external web sites but seems to have occasional difficulty with ads on some pages slowing the response or failing to finish loading.
Trivially easy in Windows but I don’t do it often enough to remember exactly. Start PowerShell (no need for admin mode) Get-VPNConnection Look for SplitTunneling value: false by default
Set-VPNConnection -Name “VPNname” -SplitTunneling $True Quotes around VPN name are required
Get-VPNConnection SplitTunneling should now be true.
Turn off split tunneling Set-VPNConnection -Name “VPNname” -SplitTunneling $False
If the split tunnel is true, the remote gateway setting is disabled in the VPN. You may find that you cannot find remote computers by name but by IP address. Suggested fix online is to increase the Ethernet interface metric to a higher priority and the VPN to a lower so queries go to the remote servers first, then out to the internet. The differential in metrics should be in multiple thousands; any smaller and it can still have problems. This works for most websites but seems to have problems with ads on some pages locking up. My fix was to set split tunneling to false. There were too many problems with lags when working on MS documents remotely.
Normally this would be a windows 10 problem because the MS-CHAP v2 is not enabled. It’s on the security tab of the VPN properties. However, I had one user encounter it and the protocol was enabled. Turned out they were using a wireless extender in their house and it would not properly deal with the security protocol. In the future I’m going to require our home users to hardwire to the Ethernet port on the home router and test the connection before going to a lot of trouble getting my hands on the unit.
Follow up. Witnessed another laptop exhibit the same error. This one happened as the user switched wireless access points while the VPN was attempting to connect. The first WAP had a delayed response so the user switched to one that was better and got an immediate security layer failure.
With VPN connectivity, remote desktop may not find computers by name but using the IP address works. This happens when your computer is not joined to the remote domain. Wireshark inspection of the DNS packets shows the query is for “desktop1.home” instead of “desktop1” you entered in the search box. Since the remoted DNS has no records for .home, it returns a not found response. Now it is necessary to use the full FQDN instead of just the name as you would on site. You can do that with each remote desktop session or change the default so you can just enter the machine name. Controlled under the IPV4 settings on the Ethernet connection (not the VPN connection). Right click > select properties > select IPV4 > select properties > select advanced button > select DNS tab > select button ‘Append these DNS suffixes’ > select Add > enter the correct suffix for the remote domain.
There are many possible causes and most are routinely covered in help responses. However, sometimes it takes a deeper dive to find the root cause.
I encountered a problem that apparently was caused by a single event from software installation, OS upgrade or other random event that changed firewall settings and/or DNS settings. The firewall was apparently changed to block incoming L2TP ports. The firewall diagnosis came from a Microsoft expert. The conversation and data files for diagnosis are not online.
Port blocking: the symptom was the connection was attempted but nothing happened then the attempt timed out. One other symptom was the virtual Win10 hosted on the same machine could connect but not the host machine. That means the problem was localized to some setting on the host machine and not elsewhere in the network. Wireshark did not show any ISAKMP packets being sent by the host but captured those sent from the virtual machine.
A deeper look with logman showed ISAKMP packets generated but immediately blocked. In admin mode at the command prompt
look for messages: “IPsec: Send ISAKMP Packet” and “IPsec: Receive ISAKMP Packet”
I never did find the specific rule causing the problem but worked around by adding a firewall rule to allow incoming L2TP UDP connectivity ports: 500, 1701 and 4500
This is caused by UDP not working correctly. The solution is to turn of UDP for the RDP client. This problem may occur on some machines and not others even using the same VPN connection from the same remote site and each configured the same. There is a group policy setting to turn off UDP in RDP. However, it has no effect on the problem on the machines I’ve tested; it apparently works for some people but not all. To fix the problem, a registry edit was necessary. From command line as administrator or PowerShell as administrator run the following
Another setting that can affect quality of the image. In Remote Desktop > show options. On the experience tab, uncheck persistent bitmap caching. It helped to a small extent on freezing but did not cure the problem. However, the fact that it helped suggests this will improve performance.
The group policy setting that did not work for me, even after multiple reboots, but may for you.  Computer Configuration > Administration Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client. Double click the setting “Turn Off UDP On Client”. Choose Enabled option to enable this setting. Click Apply to apply the change.
Well covered in several YouTube videos but there are a lot to choose from and many aren’t quite what is needed. Save search time. This one is the best of many I’ve watched and actually was able to use the instructions to configure and it worked the first time. Instructions for the firewall changes start at 7:30. The command line instructions are in the notes immediately under the video on the YouTube page. Config-tree GUI is good for updating the configuration when you add users.
Allowing VPN connection thru a router/modem.
The provider modem can be a problem if the network you want to connect to is behind another router downstream. Some have the option to set a passthru for VPN but not all. You can configure the modem as a bridge which disables the modem as a network controller. This may work for some cases but needs careful planning if you have an existing network using the default modem governed network. I’ve found both Verizon and Comcast routers have a DMZ option which exposes one internal machine to the public network and this works to put the router on the external network interface.
The best option I’ve found is to allow ports 500 and 4500 forwarding to the internal Edge X router. I found these using Wireshark. I’m sure they are documented somewhere. Only port 500 is used when connecting directly to the Edgerouter but forwarding thru the Comcast modem/router in between has the conversation shift to port 4500 after initial contact. Forwarding eliminates a killer conflict between T-Mobil and Comcast modems when using the Comcast option to expose an internal machine.
Win 10 VPN setup problems.
The wizard in the settings panel will setup the basic VPN connection but it omits an important setting that is accessed thru the control panel. However, the same setup on an Android device works immediately. There are 2 sites covering the same information. The YouTube is longer but explains more on how to access the setting. The web page is simple and to the point but has the additional registry change that is needed if you are behind a firewall at another location.
The second problem is that UDP responses aren’t handled properly in Windows 10. The result is the connection hesitates, locks up or slows down to the point of being useless. There is a registry edit to fix the issue. REG ADD “HKLM\software\policies\microsoft\windows nt\Terminal Services\Client” /v fClientDisableUDP /d 1 /t REG_DWORD This is covered in more detail in another post.
Jerry's blog 