Passing through firewalls

Basics

The VPN communication between the VPN client and VPN server is based on a combination of TCP and UDP transport:

Initiation: Whenever you (manually or through some automation) initiate a VPN connection to the Discoverer’s HPC IP infrastructure, your VPN client establishes HTTPS communication (TCP is the data carrier here) with port 443/tcp on 194.141.252.138. Your firewall must not drop that communication. Otherwise, the authentication and key-exchange processes will not take place.

Data transport: From the point of view of your router and firewall, the data transport over the VPN tunnel appears as two-way UDP communication between the IP address of your VPN client and port 4501/udp on 194.141.252.138. Your firewall is to be configured to not drop those packets. Once the VPN tunnel is up, the VPN client starts checking if the other party is alive by sending one keep-alive message every 10 seconds.

Common problems

Most home routers for Internet access currently in use/sell (unless they are deliberately configured to follow strict firewall rules), do not disrupt the Global Protect protocol for communication. It is very likely that your home router or mobile LTE/5G hotspot device allows establishing a VPN tunnel to the Discoverer’s HPC IP infrastructure straightforwardly. In case you cannot establish the tunnel (be sure you typed the correct username, password and VPN gateway IP address), you need to contact our support team who will investigate the source of the problem and fix it (see Getting help).

In most academic networks, there are no general restrictions for preventing VPN connectivity based the Global Protect protocol. But if you travel to countries outside Europe and US (good example is China), you may not be able (both technically and legally) to establish a VPN connection to Discoverer HPC infrastructure. Keep that in mind. Our technical staff cannot assist in bypassing an aggressive packet filtering.

Other VPN client running on your computer might interfere with other VPN client that carries a VPN tunnel for general use (that means your entire connection to the Internet goes through that tunnel), that might cause a problem.

IP collision can take place. Our VPN server propagates (pushes) routes to the following IPv4 private networks:

10.101.0.0/21
10.101.0.0/16
10.102.0.0/24
10.110.0.0/28
10.111.0.0/29
10.128.0.0/16
10.129.0.0/16
10.130.0.0/24
10.130.1.0/24

into the routing table of your workstation (desktop system). On certain occasions, those routes might collide fully or partially with routes to the same IPv4 networks advertised by your ISP. As a result, you will not be able to connect to the IP infrastructure of Discoverer HPC, and since your problem is outside our area of technical operations, we cannot fully avoid or resolve the collision by any means of remote support. You should try to solve the collision by yourself, connecting your system to another network or playing with the route table entries, in case you have the necessary skills. Note that it is rather unlikely to experience IPv4 collisions if your desktop is connected to a home network. It is because most home Internet routers in sale (or those provided by the internet service providers to end users on a contract) explore by default 192.168.0.0/16 network address block rather than any subdivision of 10.0.0.0/8. IP address collision is likely to occur if your desktop system is connected (directly, or through another VPN tunnel) to a corporate or academic networks.

Getting help

See Getting help