How to Configure Windows Firewall Rules for TeamViewer VPN (TeamViewer 9 on Windows 8.1)


7 views

When establishing a TeamViewer VPN connection between two Windows 8.1 machines, Windows Firewall may block the VPN tunnel even when teamviewer.exe is allowed. This occurs because TeamViewer VPN uses additional ports and protocols beyond the main executable.

TeamViewer VPN typically uses these components:

  • TCP port 5938 (primary TeamViewer connection)
  • UDP ports 5353 (Bonjour service discovery)
  • TCP port 443 (fallback HTTPS connection)
  • IP protocol 47 (GRE - Generic Routing Encapsulation)

Here's how to create the necessary inbound rules using PowerShell (run as Administrator):

# Allow TeamViewer VPN TCP traffic
New-NetFirewallRule -DisplayName "TeamViewer VPN TCP" -Direction Inbound -Program "C:\Program Files (x86)\TeamViewer\TeamViewer.exe" -Protocol TCP -LocalPort 5938,443 -Action Allow

# Allow TeamViewer VPN UDP traffic  
New-NetFirewallRule -DisplayName "TeamViewer VPN UDP" -Direction Inbound -Program "C:\Program Files (x86)\TeamViewer\TeamViewer.exe" -Protocol UDP -LocalPort 5353 -Action Allow

# Allow GRE protocol
New-NetFirewallRule -DisplayName "TeamViewer VPN GRE" -Direction Inbound -Protocol 47 -Action Allow

To verify your rules are properly configured:

  1. Check Windows Defender Firewall with Advanced Security
  2. Look under Inbound Rules for the rules you created
  3. Ensure they're enabled and set to "Allow the connection"

If you prefer the graphical interface:

  1. Open Windows Defender Firewall
  2. Go to "Advanced settings"
  3. Create new Inbound Rules for each protocol/port combination
  4. Specify "All programs" or browse to TeamViewer.exe
  • Ensure identical rules exist on both machines
  • Check for conflicting third-party firewalls
  • Verify TeamViewer version compatibility (9.x may need updates)
  • Test with Windows Firewall logging enabled for detailed blocking information

When attempting to establish a TeamViewer VPN connection between Windows 8.1 machines, Windows Firewall may block the VPN tunnel even when TeamViewer.exe has been explicitly allowed. This occurs because VPN functionality requires additional network-level permissions beyond the basic application exception.

You'll need to create inbound and outbound rules for the following protocols and ports:

1. TCP Port 5938 (TeamViewer's default VPN port)
2. UDP Port 5938
3. ICMP (for ping/troubleshooting)
4. SMB Ports 445/139 if file sharing is needed

Create the rules through Windows Firewall with Advanced Security:

# PowerShell script to create firewall rules
New-NetFirewallRule -DisplayName "TeamViewer VPN TCP" -Direction Inbound -Protocol TCP -LocalPort 5938 -Action Allow
New-NetFirewallRule -DisplayName "TeamViewer VPN UDP" -Direction Inbound -Protocol UDP -LocalPort 5938 -Action Allow
New-NetFirewallRule -DisplayName "TeamViewer VPN ICMP" -Protocol ICMPv4 -IcmpType 8 -Action Allow

After applying these rules:

  1. Test the VPN connection while keeping firewall active
  2. Check Windows Firewall logs for blocked packets
  3. Verify network connectivity using:
Test-NetConnection -ComputerName [remote_IP] -Port 5938

If issues persist, consider these additional measures:

  • Enable firewall logging to identify blocked traffic patterns
  • Check for conflicting third-party security software
  • Verify network profile settings (Domain/Private/Public)

For corporate environments, you might need to create connection security rules:

New-NetIPsecRule -DisplayName "TeamViewer VPN" -LocalAddress Any -RemoteAddress Any -LocalPort 5938 -RemotePort Any -Protocol TCP -InboundSecurity Require -OutboundSecurity Request