I'm trying to block NordVPN on WatchGuard (OS v12.7.2).
On "Application Control" I allowed access to NordVPN but it keeps blocking me from using this VPN
I looked for other possible solutions but couldn't find anything
Thks to all
You need to look a Traffic Monitor to see what is being denied.
NordVPN has at least 3 different connection methods: OpenVPN (TCP & UDP) and NordLynx.
Nord using OpenVPN (UDP) uses UDP ports 1194, 1231-1234
On the internet, I see this - NordVPN needs these open: 443 TCP and 1194 UDP
No idea what NordLynx needs. You can contact NordVPN to find out.
To change the connection method -
gear icon -> auto-connect -> choose a VPN protocol
As far as I can tell, NordLynx is basically the Wireguard VPN protocol, which appears to use udp/51820 by default but not sure if that's what NordVPN uses.
That said, some of the public VPN providers do have their servers listening on alternate ports so one would have to check the logs to see what port it eventually connects to (assuming you're trying to block it).
eg. udp/443 is also used by the QUIC protocol, but if the NordVPN server will accept connections on this port, the default application control definitions may or may not see this.
It may require a support call to WatchGuard and submission of a packet capture if the NordVPN application control definition needs updating (or a new one included).
I see UDP 51820 being blocked in my firewall logs when I select NordLynx.
I just allowed UDP 51820 and NordLynx now connects.
this is the log
2022-03-04 08:57:27 Deny 192.168.X.XXX 126.96.36.199 https/udp 53503 443 AXXXXXXXXa Fibra-XXX ProxyDrop: HTTPS timeout (HTTPS-TCP-UDP-Proxy.OUT-00) proc_id="https-proxy" rc="594" msg_id="2CFF-0008" geo_dst="USA" Traffic
2022-03-04 08:57:27 Deny 192.168.3.64 188.8.131.52 https/udp 51711 443 AXXXXXXXXa Fibra-XXX ProxyDrop: HTTPS timeout (HTTPS-TCP-UDP-Proxy.OUT-00) proc_id="https-proxy" rc="594" msg_id="2CFF-0008" geo_dst="USA" Traffic
HTTPS timeout means that the other end did not respond within the timeout period.
No idea why. I don't see this in my logs.
Looking carefully at that log output, it says it is "https/udp" and port 443, so it is sharing the same port as QUIC traffic, and is going via the "https-proxy" rule in this case.
Those two destination IP addresses show up as Google destinations in whois output - I'm not sure what infrastructure NordVPN uses but double-check what the NordVPN client is setup to use if possible.
As a test if you put in a packet filter rule matching the VPN traffic to the NordVPN endpoint before that proxy rule, you would expect to see a match in the logs (assuming you turn logging on).
I block QUIC, so I’m not seeing that for Nord allowed traffic