Configuring Windows to only allow traffic through VPN

Question

I would like to configure Windows 10 to only allow traffic through a VPN connection. For example, Firefox won't have internet access if the VPN is not connected. I want to be able to turn this setting off.

I'm not interested in the VPN-side solution, where a VPN "kill switch" cuts the internet connection if it disconnects. With that, Windows can no longer connect to my wi-fi router. So I have to kill the "kill-switch" - and when Windows connects again, all apps again have internet access with no VPN connection - so that is completely pointless.

3rd party app solution are okay. I would like the solution to be as light-weight as possible.

Thanks for any help.

Note: When NordVPN disconnects because a server goes down, the internet is now wide open to apps on the PC.

Answer 1

Native solutions are available.

First create outbound firewall rules to allow only connections in private network and block all connections in public and domain network/profile.

Then connect your VPN and set to go Work network location and set your home router connections to public network from Network and sharing center.

HTH

Answer 2

I found this on the internet years ago, have lost the original source link.

A computer uses a "routing table" to decide where to send it's data packets. In XP/Vista, you can see your routing table by using the following command inside the cmd shell: netstat -R

You'll see many lines but scan through them and the only one that is of interest is the 0.0.0.0 line (ignore other lines like net masking) and it looks like this: Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.8 20

What 0.0.0.0 sort of means is "any IP address". And Gateway is where to send the data. Interface is your IP address. So anytime you have data to send to any IP address, it'll be sent to the 192.168.0.1 (your router) IP address which then funnels to your local ISP. When you log onto VPN, you end up with a new second 0.0.0.0 line:

                        Network Destination     Netmask     Gateway         Interface       Metric
                        0.0.0.0             0.0.0.0     192.168.0.1     192.168.0.8     20
                        0.0.0.0             0.0.0.0     91.122.72.211       91.122.72.23        10
                        
                        

So your computer has two routes it can pick from. Now this is where the Metric number comes in. Metric means cost. Because the metric is lower on the second route (10<20), it "costs" less, and so your computer always sends data via the VPN route, and your data is secure :)

Now the problem is that when your VPN line drops, your original routes still exist so you'll continue to seed/leech under your local IP address. So the solution is AFTER you've logged onto VPN (not before otherwise you won't have any routes to log onto the VPN), delete your original route with this command: route delete 0.0.0.0 192.168.0.1

Now your routing table will look like this:

                        Network Destination     Netmask     Gateway         Interface       Metric
                        0.0.0.0             0.0.0.0     91.122.72.211       91.122.72.23        10
                        

And if your VPN line drops, you lose that route, so there are no more 0.0.0.0 routes and your external connection will be immediately cut off. If you want to access the internet you'll need to add the original route back with this command: route add 0.0.0.0 mask 0.0.0.0 192.168.0.1 IF 8

The "IF 8" mean "interface 8". The number 8 may be different on your computer, look at the output of netstat -r to get the correct number of your interface.

A couple more points.

You may need to set a static local IP address if you have flaky wireless. Otherwise if you briefly lose your wireless connection (and therefore local IP address) while on VPN and your VPN doesn't drop, when your PC reconnects back to your wireless, your original route will automatically be added, and so even though you deleted it, it'll pop back up. So in the Control Panel under networking, turn off DHCP and assign the 192.168.0.8 address manually. That way that route will never be added back unless you add it yourself.

After you manually add your routes back, it make take some time before DNS works again. I've never figured out why the delay, so sometimes it's faster to reboot your computer after you lose the connection (this is why VMWARE is so much easier).

Tip 1: Create .bat files with the route add/del commands in it, that way you can just click a short cut.

Tip 2: Also create a shortcut to cmd with this Target: %SystemRoot%\system32\cmd.exe /k "netstat -R" . That way you never have to go to Start->Run->cmd->netstat -R each time you want to check your routes.

Tip 3: Use a virtual machine (like vmware) to connect to a VPN, that way your normal day to day traffic won't be affected.

Answer 3

You can also do this by simply removing the default gateway from your network configuration all together. Then set static routes on your system for the VPN server IP address(es).

In essence you remove the ability of your computer to communicate outside the local network, but you have told Windows how to still find and connect to the VPN server.

If you want normal access again, simply re-add the default gateway IP address to your network configuration.

A sample command for adding the VPN server routes would be: route -p <vpn server IP> mask 255.255.255.255 <default gateway IP>

The persistent routes you create can stay. All you’ll have to do is add or remove the default gateway from the network interface. You can also script this with the netsh command and put a shortcut on the desktop to click to turn ON or OFF normal unprotected internet.

To add/remove a default gateway IP you will have to choose a static IP address rather than using the “obtain automatically” setting in your network configuration.