Jump to content
Not connected, Your IP: 3.209.80.87

Recommended Posts

I've been reading of various ways I can prevent connection that are not going through my VPN; 1. changing the DNS servers of all adapters to a VPN connection, 2. using windows firewall blocking all apps that are not part of my standard network type (private vs public), and 3. deleting a default gateway route to/from your router so my communication can exist.  Methods 1 and 3 are in the .bat file below; 1 in blue text and 3 in red.

I have this .bat file run at startup.  According to AirVPN, method 3 should block all non-VPN connections (where 192.168.0.1 is the router).  The problem I've been having is that no connections at all can be made, even the VPN.  I don't get why; a route has been added to my vpn server IP using mask 255.255.255.255 from the default gateway using viscosity.  That should be enough if the VPN IP is contained in the ovpn file, right?  The funny thing is, if the 192.168.0.1 address is changed to my interface adapter address, 192.168.0.107, this works just fine.  But multiple people have told me that the default gateway address is needed instead.  What am I doing wrong here?

Can anyone help me accomplish method 3?

(The orange text grants me admin rights)

:: BatchGotAdmin

REM  --> Check for permissions
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
  echo Requesting administrative privileges...
  goto UACPrompt
) else ( goto gotAdmin )

:UACPrompt
  echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
  set params = %*:"=""
  echo UAC.ShellExecute "cmd.exe", "/c %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs"

  "%temp%\getadmin.vbs"
  del "%temp%\getadmin.vbs"
  exit /B

:gotAdmin
  pushd "%CD%"
  CD /D "%~dp0"

route delete 0.0.0.0 192.168.0.1
netsh interface ip set dns "Mine" static 10.4.0.1
netsh interface ip set dns "Ethernet" static 10.4.0.1
netsh interface ip set dns "Wi-Fi" static 10.4.0.1

exit

Share this post


Link to post

 

I've been reading of various ways I can prevent connection that are not going through my VPN; 1. changing the DNS servers of all adapters to a VPN connection, 2. using windows firewall blocking all apps that are not part of my standard network type (private vs public), and 3. deleting a default gateway route to/from your router so my communication can exist.  Methods 1 and 3 are in the .bat file below; 1 in blue text and 3 in red.

 

I have this .bat file run at startup.  According to AirVPN, method 3 should block all non-VPN connections (where 192.168.0.1 is the router).  The problem I've been having is that no connections at all can be made, even the VPN.  I don't get why; a route has been added to my vpn server IP using mask 255.255.255.255 from the default gateway using viscosity.  That should be enough if the VPN IP is contained in the ovpn file, right?  The funny thing is, if the 192.168.0.1 address is changed to my interface adapter address, 192.168.0.107, this works just fine.  But multiple people have told me that the default gateway address is needed instead.  What am I doing wrong here?

 

Can anyone help me accomplish method 3?

 

(The orange text grants me admin rights)

 

:: BatchGotAdmin

 

REM  --> Check for permissions

>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

 

REM --> If error flag set, we do not have admin.

if '%errorlevel%' NEQ '0' (

  echo Requesting administrative privileges...

  goto UACPrompt

) else ( goto gotAdmin )

 

:UACPrompt

  echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"

  set params = %*:"=""

  echo UAC.ShellExecute "cmd.exe", "/c %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs"

 

  "%temp%\getadmin.vbs"

  del "%temp%\getadmin.vbs"

  exit /B

 

:gotAdmin

  pushd "%CD%"

  CD /D "%~dp0"

 

route delete 0.0.0.0 192.168.0.1

netsh interface ip set dns "Mine" static 10.4.0.1

netsh interface ip set dns "Ethernet" static 10.4.0.1

netsh interface ip set dns "Wi-Fi" static 10.4.0.1

 

exit

 

I use viscosity myself and made my own VPN killswitch/network lock using the same method AirVPN client Eddie does, it sets your windows firewall to block all connections to IPs not on the allowed list and it is much more effective since it isn't dependant on apps it's dependant on IP. The problem with deleting the routers IP from routing can be that since the traffic HAS to go through your router to the servers that is why you can't get any internet when deleting it. I am more than happy to provide you with my own AirVPN network lock however it is not fully up to date I keep it as a backup I generally add the IPs manually I wanna connect to. It's easy to load the policy into the windows firewall and since the firewall is fully integrated it is quite effective

Share this post


Link to post

​Yes, please.  That'd be great!  I use Windows Firewall Control from binisoft, so I can just import the file and update the IPs as need be.  Are the rules blanket or app-basis?

Share this post


Link to post

​These are all allow rules.  How does this block non-vpn?  As I understand it, Windows firewall is not hierarchical; meaning that a simple "block all" rule after allow rules will not suffice.

Share this post


Link to post

As EdensSpire mentioned re win firewall:-

If it's understood what the Eddie client 'network lock' feature is doing I think this is the simplest and most effective method of ensuring all traffic goes via the vpn.

Share this post


Link to post

​These are all allow rules.  How does this block non-vpn?  As I understand it, Windows firewall is not hierarchical; meaning that a simple "block all" rule after allow rules will not suffice.

 

If you look the firewall is set to block EVERYTHING not on the allowed list, setting specific things to be blocked is simply not effective due to everything you'd have to add everytime you do ANYTHING on the computer. And the point of these rules is even if lets say Steam adds itself to the firewall steam doesn't add IPs which means even if it's allowed it cannot connect outside of the VPN

Share this post


Link to post

I use viscosity myself and made my own VPN killswitch/network lock using the same method AirVPN client Eddie does, it sets your windows firewall to block all connections to IPs not on the allowed list and it is much more effective since it isn't dependant on apps it's dependant on IP.

 

 

​Doesn't that suggest that there needs to be some sort of Block rule?I know you are not using eddie, but viscosity.  I'm missing something then because disconnecting the VPN still allows traffic through.  If what you're saying it true, that Windows firewall block everything not on an allow list by default, then why is it that when I delete my firefox.exe rule I'm prompted to allow it?  Shouldn't it be blocked by default?

 

 

 

Share this post


Link to post

Sorry thetechdude, I may be missing the point here. If your desire is to block all but net traffic I'm failing to understand why the win firewall rules do not suffice? Using Public and Private network options also helps delineate between local net and world net. All most everything can be achieved this way?

On your public interface with network lock you will end up with something like this and free to do as you wish on your private network rules even limiting to internal IP's?

Edit: Ignore skype entry

Share this post


Link to post

​I think the problem is that we're not on the same page.  Also, I think part of the issue is that, unlike most people, I'm also using Windows' firewall to regulate application connections.  The image posted above seems to indicate that most don't; as there are no app rules.  That's why I don't want to use Eddie; because the network lock feature uses the Windows firewall and prevents people from using app-defined rules.  That is not very accommodating.

 

That being said, I'm not sure how I can use Windows firewall to accomplish both blocking of non-VPN traffic while also using app-defined rules.  I'm still prompted to create rules when permission is being requested despite the setting that were in my other screenshot, which was supposed to block all not explicitly allowed.  I'm not sure why that is.

Share this post


Link to post

​I think the problem is that we're not on the same page.  Also, I think part of the issue is that, unlike most people, I'm also using Windows' firewall to regulate application connections.  The image posted above seems to indicate that most don't; as there are no app rules.  That's why I don't want to use Eddie; because the network lock feature uses the Windows firewall and prevents people from using app-defined rules.  That is not very accommodating.

 

That being said, I'm not sure how I can use Windows firewall to accomplish both blocking of non-VPN traffic while also using app-defined rules.  I'm still prompted to create rules when permission is being requested despite the setting that were in my other screenshot, which was supposed to block all not explicitly allowed.  I'm not sure why that is.

We were definitely not on the same page

 

I took from the title you were looking for a blanket block.

 

..that being said, the above can serve as a basis for allowing per app outside of the vpn. It is far easier to setup to rules to block everything and then setup rules to allow the few programs you want outside the vpn than it is to setup per app rules. In all honesty, you end up chasing your own tail continuously. 

 

I think for most the amount of time involved is a major factor also. I have bouts of loads of time and months of no time For me a blanket block works great as I know if I set up something quickly and it can't get to the net I know my rules work well. I then take a time out and set up rules for it and it works fine.

 

 

As above, blanket block and per app rules to allow will give you the security you would like, I think. I mentioned about public and private networks in win, that's a huge bonus. If looked into properly it allows very harsh network lockdown (not something win is known for).

 

You could allow only local network on your (private physical network interface) and limit the public to vpn only aswell as allowing the login addresses on your private network. Essentially making your network as tight as a duck arse.

Share this post


Link to post

 

I use viscosity myself and made my own VPN killswitch/network lock using the same method AirVPN client Eddie does, it sets your windows firewall to block all connections to IPs not on the allowed list and it is much more effective since it isn't dependant on apps it's dependant on IP.

 

 

​Doesn't that suggest that there needs to be some sort of Block rule?I know you are not using eddie, but viscosity.  I'm missing something then because disconnecting the VPN still allows traffic through.  If what you're saying it true, that Windows firewall block everything not on an allow list by default, then why is it that when I delete my firefox.exe rule I'm prompted to allow it?  Shouldn't it be blocked by default?

 

 

attachicon.gifsshot-1.jpg

 

 

I'm sorry for the confusing let me try and explain in as much detail as I can, the policy I gave you is a clean one it has never seen firefox or any other program the rules in it allows connection to AirVPN servers only, when you then start firefox it tries to create a rule to allow it to run and not get blocked by the firewall but infact you can just click cancel since it can connect just fine the policy I gave you has everything set as it needs to be and once you click cancel it won't request in the future.

 

EDIT: Even with this you can use app-defined rules however the issue will remain that the other allow rules are set to make sure no connections reach anything not owned by AirVPN you'd have to delete those to make an app-specific connection rule and that'd leave you vulnerable as you open up your system fully.

Share this post


Link to post

 

 

I use viscosity myself and made my own VPN killswitch/network lock using the same method AirVPN client Eddie does, it sets your windows firewall to block all connections to IPs not on the allowed list and it is much more effective since it isn't dependant on apps it's dependant on IP.

 

 

​Doesn't that suggest that there needs to be some sort of Block rule?I know you are not using eddie, but viscosity.  I'm missing something then because disconnecting the VPN still allows traffic through.  If what you're saying it true, that Windows firewall block everything not on an allow list by default, then why is it that when I delete my firefox.exe rule I'm prompted to allow it?  Shouldn't it be blocked by default?

 

 

attachicon.gifsshot-1.jpg

 

 

I'm sorry for the confusing let me try and explain in as much detail as I can, the policy I gave you is a clean one it has never seen firefox or any other program the rules in it allows connection to AirVPN servers only, when you then start firefox it tries to create a rule to allow it to run and not get blocked by the firewall but infact you can just click cancel since it can connect just fine the policy I gave you has everything set as it needs to be and once you click cancel it won't request in the future.

 

EDIT: Even with this you can use app-defined rules however the issue will remain that the other allow rules are set to make sure no connections reach anything not owned by AirVPN you'd have to delete those to make an app-specific connection rule and that'd leave you vulnerable as you open up your system fully.

I'd just like to clarify I for one would not doubt the advice given by EdensSpire. It's clear advice and it works. The advice I offered was based on my own experience and trying throughout to simplify it.

Share this post


Link to post

Thanks everyone.  Is it a little weird that I'm kinda having fun trying to figure this out?

 

Okay, so it might be time for a little different approach.  I've created rules that allow, say Firefox, to access private networks using a local address range of 10.4.0.1-10.3.255.255 and block any any access of the app to private networks (non-vpn) and can only access public (VPN).  Similar rulesets for other apps are there too. 

 

test vpn rules.txt (Rename w/ wpw extension)

 

Also viscosity is set to use the DNS addresses 10.4.0.1 and 10.5.0.1.  And, indeed, the DNS servers do change to their intended address when it connects.  However, they revert when it disconnects.  To combat this, I've created a script which runs at startup that seems to solve the issue; so that the DNS servers permanently change until reset.

 

 

:: BatchGotAdmin

REM --> Check for permissions
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
echo Requesting administrative privileges...
goto UACPrompt
) else ( goto gotAdmin )

:UACPrompt
echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
set params = %*:"=""
echo UAC.ShellExecute "cmd.exe", "/c %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs"

"%temp%\getadmin.vbs"
del "%temp%\getadmin.vbs"
exit /B

:gotAdmin
pushd "%CD%"
CD /D "%~dp0"

 

netsh int ip set address "Wi-Fi" static 192.168.0.107 255.255.255.0 192.168.0.1
netsh interface ipv4 set dns "Wi-Fi" static 10.4.0.1
netsh interface ipv4 add dns "Wi-Fi" 10.5.0.1 index=2

netsh int ip set address "Mine" static 192.168.0.107 255.255.255.0 192.168.0.1
netsh interface ipv4 set dns "Mine" static 10.4.0.1
netsh interface ipv4 add dns "Mine" 10.5.0.1 index=2

netsh int ip set address "Ethernet" static 192.168.0.107 255.255.255.0 192.168.0.1

netsh interface ipv4 add dns "Ethernet" 10.5.0.1 index=2

netsh interface ipv4 set dns "Ethernet" static 10.4.0.1

 

 

This one below resets everything

 

:: BatchGotAdmin

REM --> Check for permissions
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
echo Requesting administrative privileges...
goto UACPrompt
) else ( goto gotAdmin )

:UACPrompt
echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
set params = %*:"=""
echo UAC.ShellExecute "cmd.exe", "/c %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs"

"%temp%\getadmin.vbs"
del "%temp%\getadmin.vbs"
exit /B

:gotAdmin
pushd "%CD%"
CD /D "%~dp0"


ipconfig /flushdns
nbtstat -R
nbtstat -RR
netsh int reset all
netsh int ipv4 reset
netsh winsock reset

exit
 

 

 

This seems to accomplish what I wanted.  The firewall rules are in place, as well as the "Secure" bat (just in case).  After running "Secure", I disabled the firewall and ran Firefox.  There was no connection.  Then I ran "Insecure", with the firewall still disabled, and Firefox could again function.  I think this approach works for me.  Thoughts? Am I way off?

 

Thanks.

Share this post


Link to post

I would say with what you are trying to accomplish you  are making it more complicated than it has to be, but if it works then no need to change it =) and yes I like trying to figure out new things and methods too

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...