1

I want to ensure that when the VPN connection on my computer drops, no app or service on my system should be allowed to access the internet. Basically what I am trying to do here is to ensure that any apps on my system should be able to access the internet only through the VPN and just get timed-out if the VPN connection does get dropped for any reason.

I specifically want to achieve this only through the use of firewall rules on the Windows Firewall without the use of any third party apps.

I read somewhere a long time ago that there is a technique called "black-holing" , to achieve this, but I could not find any detailed info on the internet that explains how to achieve this by setting rules in the Windows Firewall.

EDIT:

I have been trying to configure my system according to the suggestions given by @Appleoddity and Binarus but with no success so far.

I have edited my question to make it more clearer.

As long as no third-party kill-switch/VPN Client/Software needs to be installed, I am fine.

I want to know as to how to ensure that a particular app (a bit-torrent client for example) can be prevented from accessing the internet at all if the VPN connection drops for any reason whatsoever.

Here I want to mention that the VPN Client that I am using is the native Windows 7 VPN Client and that the IP address of the VPN Server that I would be connecting to (through L2TP, SSTP or even PPTP) will always be the unchanged. I am on a wired LAN connection that's connected to the router (No need to dial-up).

When I am connected to the VPN, the server would always be 65.23.78.56 (For example). In other words, the IP will not change each time I connect to the VPN but stays static. That would make things a lot easier for us to configure, I believe.

I do not want to use the VPN Client offered by my VPN provider and so once again, this should make twhat I am asking more specific.

I am asking for a very specific answer describing what exactly needs to be done to ensure that the internet access to the system immediately gets killed, the moment the VPN drops, without exposing my real IP to the outside.

I am OK if the connection times out, as long as my IP is not leaked out.

In other words, I am looking for the configurations for an internet "kill-switch" that would ensure 100% that my apps would not access the internet using my real IP, should my VPN connection drop.

Thank you for the answers so far.

Improve this question

2 Answers 2

Reset to default
1

I am not sure if @Appleoddity is completely right in that it can't be done using the Windows Firewall. Please note that the following description is for Windows 7 Pro, and that I don't know Windows 10, but the general idea should work on every Windows version.

If you double-click a firewall rule in the management console for the "Windows Firewall with advanced security", a dialog box opens where you can look at (and set) the rule's properties. In that dialog, select the tab "Advanced" and then press the button "Customize" in the section "Interface types". Now you can choose the interface types the rule should be applied to.

There are three interface types. The following is from the help file:

Local area network The rule applies only to communications sent through wired local area network (LAN) connections that you have configured on the computer.

Remote access The rule applies only to communications sent through remote access, such as a virtual private network (VPN) connection or dial-up connection that you have configured on the computer.

Wireless The rule applies only to communications sent through wireless network adapters that you have configured on the computer.

So if you want to achieve your goal using only firewall rules, you probably could (in that order, every step only for the rules which relate to internet (i.e. not internal LAN) traffic):

  • Delete outbound rules
  • Create an outbound rule which blocks all traffic for "Wireless" and "Local area network" interface types
  • Create an outbound rule which allows all traffic for "Remote access" interface types

Do a similar process for inbound traffic.

Please note that I didn't try this yet (and can't do at the moment). But if your VPN client acts so that Windows actually recognizes that connection as VPN connection, the method above should work.

Having said this, I agree with @Appleoddity in that this is not a good method and that you should try to achieve your goal another way.

Improve this answer
2
  • Could you please take a look at my answer and see if you can be more specific if possible ? Thanks a lot for your effort so far.
    – PeterG
    Commented Mar 16, 2018 at 1:35
  • @PeterG I have read your EDIT, but I still believe that my answer would be sufficient. There is probably only one more thing to mention: Originally, you have asked: "...no app or service on my system should be allowed to access the internet...". In your edit, you are talking about specific applications. So an additional hint is: Using the normal firewall management dialogs, you can create rules that apply to specific applications. So you could use the method I have described, but apply every rule only to the application you are interested in.
    – Binarus
    Commented Mar 16, 2018 at 7:14
0

It is not possible with firewall rules alone. You would, at the very least, require a script or task, to dynamically add and remove a firewall rule based on VPN connectivity.

I would not do it this way.

I would do it like this:

  1. Create a static route to the VPN remote endpoint IP, specifying that it should be routed through your gateway IP address.
  2. Remove the default gateway from the network interface tcp/ip settings.
  3. Enable the option to use the remote VPN gateway for all traffic. This is VPN client specific, but the option exists in Windows VPN. This is also known as disabling split-tunneling.

Alternatively, if I was using a sophisticated third party VPN client I would look for an option to block non-secured traffic. Cisco AnyConnect can do this.

Improve this answer
1
  • I have modified my question. A script, task or anything not requiring the use of third-party software would be fine.
    – PeterG
    Commented Mar 16, 2018 at 1:37

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .