Monday, May 16, 2011

How To Block All Internet Traffic / Connections If Not Connected to a VPN

This post will outline a method using the Windows 7 Firewall to block all Internet traffic unless you are connected to your VPN.

This post assumes you have already followed the steps in the earlier post, How to only use the VPN Connection and Block ISP.

If you implement these rules, your system will have no Internet access unless you are connected to your VPN. That is to say, your system will be connected to the Internet, but no traffic can get in or out unless specifically permitted by a separate firewall rule. If a rule allowing an application exists, that application's traffic will still be able to pass through the firewall.

I have used these rules on my system without ill effect (Windows 7 Home Premium 64-bit). Depending on what other applications you use, you will likely have to create additional rules. If you break your system, don't blame me. Always back up before messing with system settings, and take notes as you go.

It is possible this method could still potentially leak data by way of the system process svchost.exe. If you attempt to block svchost.exe, your PC will not be able to communicate with your router/modem, and you really will have blocked all network functionality - i.e. nothing will work.

That being said, I have monitored VPN disconnects using TCPView and spotted no leaks - just all processes (including system processes) engaged in Internet traffic instantly changing from ESTABLISHED to TIME_WAIT, and shortly thereafter vanishing.


If this method is too restrictive / complex for you (or if you use Windows XP / 2000 or Mac OS X), you may wish to consider using a VPN service offering a VPN client that allows you to securely bind applications to the VPN, such as HideMyAss:

HideMyAss.com


Steps:

1. Open Windows Firewall with Advanced Security (in this guide, start at step #4)

2. Select Inbound Rules. The New Inbound Rule Wizard will appear.

3. Select Custom Rule (see below).


4. Select All Programs.

5. Select Any IP Address, for both Local and Remote.

6. Select Block The Connection (see below).


7. Select Domain and Private, leaving Private and Public unticked (see below)



8. Name your rule and click Finish. Repeat steps 1 through 8 for Outbound Rules.

9.  In the Windows Firewall with Advanced Security window, select Windows Firewall Properties (see below).


10. In the resulting window, choose to block both inbound and outbound traffic for the Domain and Private profiles (see below). You may also want to block outbound traffic on the Public profile as well, but you will need to create specific allow rules for every application that needs Internet access.


You should test your configuration at this point to ensure it is working. Connect to your VPN, start up some downloads, and disconnect. All traffic should die immediately.

11 comments:

Anonymous said...

Thanks for the guide. Very easy to follow. I tested it out, and the downloads stopped immediatly when i disconnected the vpn.

However, I was still able to browse other sites...is that normal?

practicalrambler. said...

Anon: That shouldn't happen. You must follow the directions in both posts.

See also: http://practicalrambler.blogspot.com/2011/01/windows-7-firewall-how-to-always-use.html

Also, could be that a separate rule is allowing browser traffic. Study your rules carefully, modify as needed.

ron said...

Thanks for getting back to me. So I've gone through the guides a few times. It now blocks all the traffic...but the problem is that it doesn't let me connect to the VPN at all...I try, but it just hangs. Do I need to open the port and allow the traffic through for the VPN program specifically? If so what is the VPN software called? Otherwise, I'll keep tinkering around and see what I'm doing wrong?

Ron said...

I still need help getting the VPN to connect using these firewall rules. But just so I understand...this guide basically will block everything, and the only way I can actually allow the a program to access the net is by following the above guide. I guess that makes sense. what I'd prefer though, if there was a way, to block EVERYTHING if NOT connected to the VPN, and once the VPN is connected, THEN allow EVERYTHING to connect. Possible?

practicalrambler. said...

Ron: Perhaps you haven't allowed the VPN to connect (I assume you are using Windows 7/Vista's built-in VPN client functionality). Try the following post:

http://practicalrambler.blogspot.com/2011/02/allow-outgoing-vpn-connection-in.html

Hope this helps.

Ronnie Adamowicz said...

Ah, fantastic. That guide helped. I was unblocking 1723 when instead i needed 1701. It's working fine now. But, now the problem I have is as follows. I'm using one PC (Win7). I created a special user account for very secure internet surfing using the guide above. The problem is that these firewall settings now effect the other user account. Any ideas?

practicalrambler. said...

Ron: That's a good question. I think you can create different rulesets on a per-adapter basis - e.g. one set for the ethernet card, one for wi-fi etc.- but I'm not sure about what you've suggested. Honestly, I'd like to do the same myself. If you have any success I'd love it if you'd let me know :)

Ronnie Adamowicz said...

It seems you can have rules based on users, but only for inbound traffic. A potential workaround is perhaps to give one user account a static IP address. Then tell the router or firewall not to route that traffic to the internet, unless it's the VPN port? Not sure...what do you think??

Ronnie Adamowicz said...

Here's the best solution I could come up with:

1. Define the firewall rules you want for each account.
2. Export the Policies.
2a - vpn_only_traffic.wfw
2b - normal_traffic.wfw
3. Create a batch file for each of the policies using the following code:

For Normal Account:
netsh advfirewall import normal_traffic.wfw

For VPN account:

netsh advfirewall import vpn_only_traffic.wfw

Then just make it load up automatically in each account, or just have a shorcut...

Of course per user account would be better. If you, or software make any other changes to the firewall then you'd lose them which is annoying. But this seems to be a good interim solution.

practicalrambler. said...

It certainly seems like a good way to accomplish per-user rulesets. As you state, if you/software makes a policy change, you'll have to modify your exported policies accordingly - but this isn't something that happens that often. And it's easily accomplished.

On the road this week - will try it out when I return, and if successful, blog it! You are awesome Ron!

Ronnie Adamowicz said...

Ah cool. really glad it helps out. It's been working for me so far, which is great. It's still a hassle to login and logout to the user account every time, but I guess that's what you have to do if I want to be extra safe. It is possible to use one accoung and use the batch files to switch firewall profiles, but then you'd have to clear cookies, and close other services etc. For the moment, I'll stick to different user accounts, but may change that.