I’ve setup VPN connections with different servers today and all worked, in one direction, from VPN client TO VPN SERVER.
BUT I could NOT whatever I tried access ports/services on my ‘connected’ VPN client’s vpn given IP address FROM the VPNSERVER.
In all cases I used Windows Native Client on my Windows 7 PC and I tried various VPN connections to various servers. I tried connecting to a couple different IPSEC L2TP vpn servers and also an SSTP VPN server.
I could access the VPN SERVER and its network from the VPN CLIENT side, but I could never access the VPN Client’s vpn given IP from the VPN server side, neither with IPSEC L2tp nor with SSTP regardless of all the routing tricks I tried.
( see VPN SSTP windows client can not ping or connect to VPN server but it can talk to every other PC on the local LAN that VPN server is on )THE QUESTION:
IS this a PURPOSEFULLY set limitation on native Windows VPN client to protect VPN users? After banging my head all day I came to this conclusion since I was not able to load website or even PING my VPN CLIENT from the VPN SERVER. The other way works fine. My conclusion was that I have to do a Site-to-Site type VPN connection to have 2-way connection between my Windows PC VPN client and the remote vpn server.
I assume if what I was trying to do did work, then a lot of VPN users of FREE VPN services could be compromised/hacked/exposed etc so I figured for security reasons it does not allow communication to the VPN client initiated from vpnserver.BUT after reading this:
https://social.technet.microsoft.com/Forums/en-US/1da6fbe1-5263-4097-b87c-6a58afdd15f8/sstp-vpn-back-connections-possible-?forum=forefrontedgeiagIt’s claimed there that you CAN connect TO VPN CLIENT from the server? So now I’d like a definitive answer from some networks guru.
So I’ve just edited this question now to be more specific that I’m only concerned with built-in native Windows VPN client. So, is it possible for a VPNServer administrator to ‘initiate’ connection and connect to ports on a connected windows VPN client machine? (the VPNserver can be IPsec L2TP or SSTP but client has to be non-server Windows version (Windows 7 Home Premium) using its built-in native Windows VPN client).
Answer
Basically, a VPN-connected client appear as a “normal” network node, so it should be pingable/reacheable.
That said, it really depends on the IPSec policies installed during client/server negotiation. If client/server negotiate a bi-directional policy (and no NAT is applied), the client will be visible.
For example, I had similar configs both with a Safenet/Juniper (software client/hardware firewall) and a OpenVPN/OpenVPN (client/server) setups. In the fist case (Safenet->Juniper), a bidirectional policy had to be explicitly configured. In the second case (OpenVPN/OpenVPN), it was somewhat implicit due to how OpenVPN works, as it install a virtual tun/tap interface (note that I had do configure the appropriate routes, but this is another story).
In the end: it really depends on what you use as VPN server and its configuration.
Attribution
Source : Link , Question Author : htfree , Answer Author : shodanshok
