Guinea_pig v2.9.3 issue with firewall

Question

Guinea_pig v2.9.3 issue with firewall

wellloaded opened this issue 9 months ago · 10 comments

On v2.9.3 I'm connecting via custom .ovpn (Ivacy).
I have specified teamviewer in the list of exclusive split tunneling applications (so I don't want this to ever use the tunnel).

If I'm connected and the firewall is set to "on", the teamviewer tray icon complains of no Internet connectivity.

As soon as I disable the firewall teamviewer removes the red mark on the tray icon and appears to be connected fine.

If I re-enable the firewall teamviewer goes back in error:

If the VPN is disconnected with firewall on teamviewer doesn't work

DIsconnected with firewall off teamviewer works.

So it seems like the firewall doesn't take into account the split tunneling information.

I think the expected behavior is:

The split tunneling exclusive configuration (IPs and Apps) should always be added as an exception from the firewall as well regardless of the WS client being connected or not.

Can this be fixed please?
Thanks

Answer 1 · 2024-01-18T15:51:27.000Z

Is it possible there is another TeamViewer support exe that also needs to be excluded? Or is this a regression and TeamViewer worked fine in a previous release?

Answer 2 · 2024-01-18T17:00:05.000Z

I can't tell you for certain. Because of this other issue I reported:
#96
I was with firewall off long time.

So despite issue #96 still being relevant I regardless wanted to secure up things and this issue was noticed.
BTW this is not teamviewer support it's the porper teamviewer installation
In the c:\program files\Teamviewer\ there are other .exe apart from teamviewer.exe like teamviewer_desktop.exe, teamviewer_note.exe, teamviewer_service.exe, tv_x64.exe, etx. That said when I got in WS and I select the app as soon as I type "Te"
the Teamviewer.exe is appearing for me.

I also looked around I can't spot any other teamviewer.exe on this system, not even a portable one.

Answer 3 · 2024-01-18T17:13:33.000Z

I can also config the second split tunneling (excluded) app I have: pcloud behave exactly the same

Firewall on:

Firewall off:

This would also explain issue #96 I suppose.

Answer 4 · 2024-01-18T17:57:30.000Z

@wellloaded Hi there. I'm the QA guy here at Windscribe works with the desktop app. I've been unable to reproduce your issue with teamviewer so far. I've split tunneled teamviewer.exe out and have verified that teamviewer is able to receive/send connections out and shows online while connected with the firewall enabled.

Do you happen to have any other firewall products installed on your machine that might attempt to override WFP rules?

Answer 5 · 2024-01-18T21:47:13.000Z

Not that I'm aware of. I don't usually install random software and my app list is pretty limited.
That said is there any powershell output I can provide you to be able to troubleshoot this issue?

Answer 6 · 2024-01-22T16:10:32.000Z

Any progression please?

Answer 7 · 2024-01-22T23:41:07.000Z

There's not a lot we can do here given that we cannot reproduce the issue. Things you can try that may aid us in helping you are:

Does it work in a particular older version of the software, so we can pinpoint where we broke it.
If no to question 1, does split tunneling TeamViewer work if you use a regular OpenVPN (UDP) connection (i.e. remove your custom config from the equation so we know if it is the cause or not).
If no to question 2, does split tunneling TeamViewer work if you use a regular OpenVPN connection (no custom config) on physical hardware rather than in a VM?

Answer 8 · 2024-01-23T08:09:54.000Z

Thanks! This issue (first noticed with magnet links) was reported long time ago so as far as I'm concerned it has always been there. May be introduced by a guinea_pig release as I like to test the alpha/beta perhaps something was left behind?

I can't confirm for certain but this isssue has been there for as long as I remember
I'm unsure what you mean by "regular" OpenVPN. As far as I can tell the Ivacy .ovpn I'm using is pretty standard and using the official OpenVPN client it connects with no issues/warning. The official OpenVPN though doesn't support split tunneling hence I can't compare fully.
I can confirm teamviewer reports inaccessible when the firewall is on and I'm connected to a Windscribe internal site (best location). As soon as I enable the firewall the red mark appears on the teamviewer tray icon. To be fair I don't know what to look at any more but the fact that this happens as soon as the Windscribe firewall is enabled it does suggest an issue with the WSClient specifically.

As suggested above if you have any powershell command you want me to run before and after the firewall has been enabled I would be happy to do so and report back.

Answer 9 · 2024-01-23T22:44:55.000Z

As with the magnet links issue, it and this issue are tough ones for us to troubleshoot when we cannot replicate the behavior in-house. We cannot think of any powershell commands that would assist here. The only thing we can suggest doing would be similar to how we would troubleshoot this if we were able to replicate it here:

Start with a clean native machine or VM (i.e. Windscribe hasn't been installed on it so we know we're in a clean state wrt settings).
Install the latest Windscribe app.
When the app launches, confirm you can connect using the UDP protocol to one of our locations (e.g. best location). Do NOT change any of the default settings other than setting the Connection Mode to Manual and selecting the UDP protocol.
Disconnect and add your split tunnel setup for Team Viewer ONLY. Again, don't change any other settings and only attempt to split tunnel Team Viewer.
Connect and check if Team Viewer has connectivity. Verify if Team Viewer has connectivity even if the the tray icon states otherwise.
Assuming Team Viewer has connectivity, you can do the following:
- Disconnect
- Make ONE settings change to get you closer to your day-to-day setup.
- Connect and verify Team Viewer connectivity.
- Repeat this process until you encounter a settings change that breaks Team Viewer connectivity.

Answer 10 · 2024-01-24T08:27:32.000Z

Thank you for the support. I did some digging on my side in the meantime.

Using my laptop (standalone win11 machine) I discover the very same issue on teamviewer. The solution was to:

remove teamviewer.exe (this was picked up manually and didn't appear in the list of installed apps)
add teamviewer_service.exe

This work! On both internal server and custom .ovpn.

I still think you "could" suggest teamviewer and point it to teamviewer_service.exe in the split tunneling list of apps. It might be that teamviewer.exe is relevant is teamviewer is not running as a service (e.g. only app so generating traffic only when the app is open), still since it's a crucial remote admin tool pretty popular you could cover the exception I suppose? Just an idea.

I'm closing this and continue the magnet link issue on the relevant #96 page