PDA

View Full Version : How to force program to use OpenVPN only (Windows firewall, Comodo)



Fli
03-04-2017, 10:33 AM
Hello,

when one want to block program from connecting internet servers directly (bypassing OpenVPN), how to do it in Windows 7/8/10? (if you have Linus, check here (https://internetlifeforum.com/security/8687-how-setup-vpn-openvpn-prevent-ip-leak-non-vpn-connections-linux-gufw/))

OPTION 1 (blocking only particular programs to bypass OpenPVN)

I hope i found the way to block some program .exe connections when VPN is down, here is how

1) click Windows icon in the taskbar to open start menu
2) start typing: firewall
3) click on the Windows Firewall application
4) click on "Outgoing rules" kind of entry
5) add New rule for the
a) program
b) select path to .exe which you want to block if connecting outside openvpn
c) select to "Allow/permit" connection (irrational, we change it later)
d) keep selected all profiles (private,domain,public)
e) name the rule somehow, for example: Block non vpn connections of the application XY.exe
6) double click the rule you just created to edit it
7) as an Action, select Block instead of Allow
8) on the tab called somehow like Area, there is the list of local IPs and remote IPs. add new local IP: 192.168.0.0/16
9) save the rule and it should have blocking icon

OVPN is using something like 10.8.0.2, not 192.168.*.*.

When you disconnect OpenVPN that program should no longer have internet access. Some programs consist of multiple exe files, the .exe file used for launching may not be the not that is doing internet connections. example openvpn-gui.exe/openvpn.exe

Different way to create Windows firewall rule to prevent IP leak (allow program to communicate only via VPN) is this tutorial: https://support.hidemyass.com/hc/en-us/articles/202723616-IP-Binding-via-Windows-Firewall-block-non-VPN-traffic (it is really nice with images & worked)

OPTION 2 (blocking all non system apps to bypass OpenVPN) via Windows Firewall
* "non system" means that my web browsers and other apps was unable to connect internet, but system tool like "tracert 8.8.8.8" was able...

Right click Network tray icon and go to Center of the network connections. There we want to change main network adapter (in my case MyWifiName - Ethernet 1) to be "Private network" instead of "Public network". To do so, find on that page "Home group" (i had it on the bottom of the right sidebar, or find it in Control Panel/Network). There click option to Change Advanced sharing settings, Allow sharing/discovery. Now refresh the Center of network connections. In my case Ethernet changed from public to private. Good. Now open Firewall by keyb. shortcut: Win.+R, type: wf.msc and Run it. It will open Win. Firewall settings. here i find the option to export current rules to a file so i can restore if something go wrong. Then i click option to restore default rules. It will erase all custom rules, and then i will create only one "Outgoing" type of firewall rule for OpenVPN application which will become only one software allowed to connect. So when adding new outgoing rule, set it like this: rule type is program/software, select openvpn.exe file (located in OpenVPN C:/Program files folder). select action "Allow" and select for all networks (public,private..), name it somehow. Then in firewall, switch from Outgoing rules section to the parent section which looks similar to this:

348

And set it like that. Domain profile in/out disallow, Private profile in/out disallow, Public profile: in disallow and out allow
(when setting that, adjust "Protected network connections" and untick TAP kind of adapter: )

349

Then i can see that i can access internet while VPN is running, and i can not access it when VPN is off. One may also try ping from command line: Win.+R, cmd, then in terminal run: ping 8.8.8.8 to verify if internet connection is allowed or not. tracert 8.8.8.8 works and so system apps can connect internet directly :-/ (if anyone know workaround, please kindly share).

Important: when Windows popup a firewall window asking to add some program into FIrewall, make sure you never grant this program access via private networks unless you want this program to bypass openvpn and connect directly if VPN is down.

OPTION 3 (blocking everything to bypass OpenVPN) via Comodo Internet Security Firewall (https://www.comodo.com/home/internet-security/free-internet-security.php)

"
Comodo Firewall -> Firewall -> Network Security Policy -> Global Rules -> Add

Action: Block
Protocol: IP
Direction: In/Out
Source Address: Network Zone - (You Internet Access zone, ex. home #1)
Destination Address: Exclude - IPv4 Single Address - Entry address of server
"

------------------

Here is the VPN killswitch tutorial made by someone else, i have NOT verified it if it works. It is using Comodo firewall too:

If you're not sure if your VPN Provider's client uses the TAP adapter, you can do the following, open a command prompt and type "ipconfig /all" without quotes!
This will show you wich adapters are installed, search for TAP-Windows Adapter.

Once you have found the specified adapter, you will need to write down the Mac Adress, where it states "Physical Address" is where the Mac Adress is.
For example, 00-FF-XX-XX-XX-XX.
It is important you write down the Mac Adress of the right adapter!

Part 2. Configuring the KillSwitch.
The First thing we will to do is right-click the comodo icon in the taskbar and select "Advanced View" after that go to: Firewall > Network Zones.

Now we're going to add a new network zone, to do this click on the "Add" button.
And Click on "New Network Zone" name your new network zone and click "OK"
Select your created network zone, right-click and select add and New Adress.
Click the dropdown menu select"Mac Adress" and enter the Mac adress from Part 1.

After that we are going to make a ruleset, navigate to: Firewall > Rulesets.
Click the "Add" button, name it and click on the "Add" button.
Now a windows will pop up with a few options, apply the following options:

For "Action" from the dropdown we're going to select "Block"
For "Protocol" we will select "IP"
For "Direction" select "In or Out"
For "Type" (Under the Source Adress tab) we will select "Any Adress"
For "Type" (Under the Destination Adress tab) select "Any Adress"

For The next rule the settings will be as follows:
For "Action" from the dropdown we're going to select "Allow"
For "Protocol" we will select "IP"
For "Direction" select "Out"
For "Type" (Under the Source Adress tab) we will select "Network zone"
And then select the network zone you created earlier.
For "Type" (Under the Destination Adress tab) select "Any Adress"

And for the last rule we will use these settings:
For "Action" from the dropdown we're going to select "Allow"
For "Protocol" we will select "IP"
For "Direction" select "In"
For "Type" (Under the Source Adress tab) select "Any Adress"
For "Type" (Under the Destination Adress tab) we will select "Network zone"
And then select the network zone you created earlier.