Jump to content
Not connected, Your IP: 18.221.8.126
JJNF_83585

Blocking all non-VPN traffic (Windows)

Recommended Posts

Hi,

I'm running windows xp and have set up comodo firewall to block all non-airVPN traffic from utorrent (for when airvpn goes down), as detailed in this thread. https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&Itemid=142

Is it possible to set a global rule which will block all traffic from the computer other than that which goes through the VPN connection? There is a setting for global rules in comodo, but attempting to do it in the same way as for utorrent doesn't seem to work, as it blocks the VPN itself. Basically I'd like to have it set up so that the computer can't connect to the internet at all except through the vpn.

Thanks.

Share this post


Link to post

Hi,

I'm running windows xp and have set up comodo firewall to block all non-airVPN traffic from utorrent (for when airvpn goes down), as detailed in this thread. https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&Itemid=142

Is it possible to set a global rule which will block all traffic from the computer other than that which goes through the VPN connection? There is a setting for global rules in comodo, but attempting to do it in the same way as for utorrent doesn't seem to work, as it blocks the VPN itself. Basically I'd like to have it set up so that the computer can't connect to the internet at all except through the vpn.

Thanks.

Hello!

Yes, it is possible. Remember to allow packets for your physical network card from and to the entry-IP address of the VPN server you're connected to, otherwise you will block every and each packet as you have experienced. There are several ways to accomplish this. An example is to block everything from and to your network card (NOT going to and coming from the entry-IP address) AND (NOT coming from or going to your TAP-Win32 adapter).

See also:

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&limit=6&limitstart=30&Itemid=142#2019

Kind regards

Share this post


Link to post

That's great, thanks! How might I go about doing that in comodo (or otherwise)? I've looked through the various global and other ruleset settings, and there's no obvious option to make rules involving my network card or TAP-Win32 adapter. Apologies if I've just overlooked it.

Share this post


Link to post

That's great, thanks! How might I go about doing that in comodo (or otherwise)? I've looked through the various global and other ruleset settings, and there's no obvious option to make rules involving my network card or TAP-Win32 adapter. Apologies if I've just overlooked it.

Hello!

With Comodo, first detect the Network Zones corresponding to your adapters (usually Comodo gives them names like Home #1 etc. according to your preferences). Then apply the global rules to those network zones (both when they are the target and the sender) in the tab "Global Rules".

You'll need to know the Network Zone corresponding to your local adapter (10.4.0.0/8) and to your physical adapter (WiFi or Ethernet card). See the tab "Network Zones" inside the "Network Security Policy" menu of the Firewall section in order to detect them.

The Network Zone corresponding to the TAP-Win32 adapter can be authorized to receive and send any packet from any source or to any destination, from/to any port from/to any port.

The Network Zone corresponding to your physical adapter must allow ONLY the packets coming from or going to the entry-IP address of the VPN server or the TAP-Win32 adapter.

Kind regards

Share this post


Link to post

Ok thanks again.

If I'm reading your reply correctly, then all I have to do is go to global rules and set the network zone corresponding to my physical adapter (wifi card in this case) to allow only traffic from the VPN entry IP address or the the network zone of the TAP-Win32 adapter.

Comodo firewall currently has five network zones listed: one called "Loopback Zone" and four called "Home #1"," Home #2", "Home #3", "Home#4". How do I tell which corresponds to my physical adapter and to the TAP-Win32 adapter?

Share this post


Link to post

Ok thanks again.

If I'm reading your reply correctly, then all I have to do is go to global rules and set the network zone corresponding to my physical adapter (wifi card in this case) to allow only traffic from the VPN entry IP address or the the network zone of the TAP-Win32 adapter.

Comodo firewall currently has five network zones listed: one called "Loopback Zone" and four called "Home #1"," Home #2", "Home #3", "Home#4". How do I tell which corresponds to my physical adapter and to the TAP-Win32 adapter?

Hello!

You'll need to know the Network Zone corresponding to your TAP-Win32 adapter (10.4.0.0->10.9.255.255 for AirVPN) and to your physical adapter (WiFi in your case). See the tab "Network Zones" inside the "Network Security Policy" menu of the Firewall section in order to detect them. About your WiFi adapter, you can easily locate it if you know its IP address. You can list all the details of your adapters with

ipconfig /all

Kind regards

Share this post


Link to post

Ok great, I have the IP addresses of my physical adapter and TAP-Win32 adapter.

How do I find the entry IP address of the VPN? (Apologies if this is blindingly obvious.)

Also, will the VPN entry IP address be the same each time I connect, assuming that I always use the same airVPN server?

Thanks again

Share this post


Link to post

Ok great, I have the IP addresses of my physical adapter and TAP-Win32 adapter.

How do I find the entry IP address of the VPN? (Apologies if this is blindingly obvious.)

Also, will the VPN entry IP address be the same each time I connect, assuming that I always use the same airVPN server?

Thanks again :)

Hello!

The entry-IP address of each server never changes. You can find it in several ways:

- display the connection logs and see which IP address OpenVPN connects to. That IP address is the entry-IP address;

- open the .ovpn OpenVPN configuration file and look at the line "remote" (the entry-IP address is the one specified in that line). You can generate the .ovpn files for any server you wish with our configuration generator;

- (only if already connected): open Comodo Firewall "View Active Connections" and see which IP address openvpn.exe is exchanging packets. That IP address is the entry-IP address.

Kind regards

Share this post


Link to post

The Network Zone corresponding to the TAP-Win32 adapter can be authorized to receive and send any packet from any source or to any destination, from/to any port from/to any port.

The Network Zone corresponding to your physical adapter must allow ONLY the packets coming from or going to the entry-IP address of the VPN server or the TAP-Win32 adapter.

 

OK, I've now got the various network zones figured out. In this case the Physical adapter (wifi card) is Home #1 and the TAP-Win32 adapter is Home #3. The VPN entry address appears to be the same as that of my wifi card.

I've tried creating various rules in the "Global rules" tab to match what you've written in your post, but I can't seem to work it out.

What rules do I need to create?

Share this post


Link to post

I'm still trying to work out a firewall ruleset that works (or any other way of solving this problem)

If anyone has any ideas as to how we might get this to work, it would be very helpful

Share this post


Link to post

I would also quite like a good explanation or guide on how to achieve this. (No internet traffic at all except through the VPN)

I've tried everything said here, as well as the other thread. But the only solution that works for me is still blocking individual applications.

As soon as I implement the suggested global rules in this thread (and the suggestions made in several other threads.. I've tried them all.. even on the Comodo forums) the VPN connection itself is fine, but the AirVPN application crashes... When I shut down this application to try and see if I can connect anew with the new firewall global rules, I cannot. Even though I have entered all the correct addresses. (Triple checked them by now)

Any other workable solution to achieve no possible traffic outside of the VPN?

Thanks in advance!

Share this post


Link to post

Yes! a guide would be awesome, I'm liking this vpn a lot, a bit tricky at first ( I'm an idiot). But I also would prefer to stop all incoming and outgoing traffic unless I'm on the VPN. If it's possible this thread should be stuck at the top "Sticky" and solved?

Share this post


Link to post

I messed around with Comodo Firewall's settings for a bit and I think I found a solution.

Comodo Firewall -> Firewall -> Network Security Policy -> Global Rules -> Add.

Action: Block

Protocol: IP

Direction: In/Out

Source Address: Network Zone - (Your WiFi/Ethernet's zone)

Destination Address: Exclude - IPv4 Single Address - Entry address of server

To find the entry address of a server:

Hello!

The entry-IP address of each server never changes. You can find it in several ways:

- display the connection logs and see which IP address OpenVPN connects to. That IP address is the entry-IP address;

- open the .ovpn OpenVPN configuration file and look at the line "remote" (the entry-IP address is the one specified in that line). You can generate the .ovpn files for any server you wish with our configuration generator;

- (only if already connected): open Comodo Firewall "View Active Connections" and see which IP address openvpn.exe is exchanging packets. That IP address is the entry-IP address.

Kind regards

If you try to connect through the AirVPN client with that rule, you will get a "The remote name could not be resolved: 'airvpn.org'" error. One of the solutions I found was to disable the global rule (Easy way: Edit -> Action: Allow. Destination address: Uncheck exclude) and connect to AirVPN before activating it again. Alternatively, if you do not want to go through the hassle of enabling and disabling the rule every time you disconnect from and reconnect to AirVPN, you can start connecting through OpenVPN instead of the AirVPN client (https://airvpn.org/windows/ scroll down to "Access without AirVPN client.")

For connecting to AirVPN with the AirVPN client, I've tried excluding AirVPN.org's IP address in the rule, but I was still getting the same error. Is there a way to log into the client without having to disable the global rule? Also, is there a difference between blocking IP and blocking TCP&UDP/IMCP?

Share this post


Link to post

If you try to connect through the AirVPN client with that rule, you will get a "The remote name could not be resolved: 'airvpn.org'" error. One of the solutions I found was to disable the global rule (Easy way: Edit -> Action: Allow. Destination address: Uncheck exclude) and connect to AirVPN before activating it again. Alternatively, if you do not want to go through the hassle of enabling and disabling the rule every time you disconnect from and reconnect to AirVPN, you can start connecting through OpenVPN instead of the AirVPN client (https://airvpn.org/windows/ scroll down to "Access without AirVPN client.")

For connecting to AirVPN with the AirVPN client, I've tried excluding AirVPN.org's IP address in the rule, but I was still getting the same error. Is there a way to log into the client without having to disable the global rule? Also, is there a difference between blocking IP and blocking TCP&UDP/IMCP?

Hello!

The AirVPN client for Windows needs to resolve airvpn.org name in order to download via an encrypted connection certificates and key and then launch OpenVPN, so the quickest workaround is adding the following line to your hosts file:

46.105.19.36 airvpn.org

In this way airvpn.org will be resolved without the need of a DNS query outside the tunnel which is correctly blocked with your rules when you are not connected to an Air server. You will still have to authorize packets from and to 46.105.19.36 in the firewall.

Of course if we change the IP address of our frontend you will have to update your hosts file.

Kind regards

Share this post


Link to post

Hello. I have been working on this for awhile and Air hasn't really put out a tutorial on it despite so many clients being interested. Thank you greg for the post! Here is what I have in Comodo.

*Added to host file - 46.105.19.36 airvpn.org

Action: Allow

Protocol: IP

Direction: In/Out

Source Address: Any

Destination Address: IPv4 Single Address - 46.105.19.36

Action: Block

Protocol: IP

Direction: In/Out

Source Address: Network Zone - (Your WiFi/Ethernet's zone)

Destination Address: Exclude - IPv4 Single Address - Entry address of server (This case it is Sirius)

Why can't you exclude the range 10.4.0.0 - 10.9.255.255 instead of the entry address of an individual server? Is there a way to exclude all servers IP's at once? When I try to allow the range it logs into the Air client but doesn't connect to any servers. With the single entry IP I can only connect to the one server I have listed. So close to working!

Share this post


Link to post

Why can't you exclude the range 10.4.0.0 - 10.9.255.255 instead of the entry address of an individual server? Is there a way to exclude all servers IP's at once? When I try to allow the range it logs into the Air client but doesn't connect to any servers. With the single entry IP I can only connect to the one server I have listed. So close to working!

To be honest, I had no idea what I was doing and was just messing with the settings while following what Admin said in page 1.

My guess is that the firewall is set to block connections to/from the entry addresses of other servers, so add a rule for each server to allow connections to their entry servers. Allow - IP - In/Out - Any - IPv4 Single Address (entry address)

Share this post


Link to post

My guess is that the firewall is set to block connections to/from the entry addresses of other servers, so add a rule for each server to allow connections to their entry servers. Allow - IP - In/Out - Any - IPv4 Single Address (entry address)

I have been trying to add separate rules and it won't allow me to connect after adding rules for more than 1 server. It's confusing me, it doesn't make sense.

Share this post


Link to post

I have been trying to add separate rules and it won't allow me to connect after adding rules for more than 1 server. It's confusing me, it doesn't make sense.

Did you add the new rules on top of the block rule?

I added an "Allow IP In/Out From MAC Any To IP <Entry address> Where Protocol Is Any" rule for each server and I have no problems connecting to any of them.

Share this post


Link to post

Thanks for the screenshot. I think I got it working, but how did you allow "all"? Probably doesn't matter but just curious. Also what is [AirVPN - Sirius], just 108.59.8.147 I'm assuming. Here are all the IP's you need in text format for anyone else working on this. Cheers.

Connect AirVPN - 46.105.19.36

Omicron - 89.149.226.185

Tauri - 46.165.208.65

Delphini - 146.185.25.170

Lyra - 62.212.85.65

Leonis - 85.17.123.26

Orionis - 95.211.98.154

Castor - 95.211.169.3

Draconis - 178.248.29.132

Vega - 69.163.36.66

Sirius - 108.59.8.147

Share this post


Link to post

Thanks for the screenshot. I think I got it working, but how did you allow "all"? Probably doesn't matter but just curious. Also what is [AirVPN - Sirius], just 108.59.8.147 I'm assuming. Here are all the IP's you need in text format for anyone else working on this. Cheers.

That's one of the default rules that Comodo sets to your network zones. The description says all but if you set the same rule without a description, it will say "Allow IP In/Out From MAC Any To In [AirVPN - Sirius] Where Protocol Is Any." I wanted to keep at least one of the default rules in case if I screwed up by deleting those rules, so I kept that rule and renamed the description to [AirVPN - Sirius] to match the network zone's name. Probably should have deleted that rule before taking that screenshot, but I guess it's a bit too late now.

Share this post


Link to post

Ah okay I see. Another question, sorry I am full of them. Now I want to stream TVersity to my XBOX, but obviously it won't because I have everything blocked when that computer isn't connected to the VPN. When connected it does the same thing. What global rule would I add to allow this to stream? I tried allowing 192.168.1.1-192.168.1.255 but it didn't work. Both IP and UDP/TCP. Thanks dude you are awesome.

Share this post


Link to post

any update on the list or anything else anybody would like to add?

btw draconis is 178.248.29.133 not 178.248.29.132

No it's not, that's the exit IP.

Share this post


Link to post

oh my bad , thanks

update: theres a little problem ive noticed while airvpn was trying to reconnect it couldnt as soon as i removed the block rule it could, ive set my rules as follows

my block rule ive set up like this:

source address

log as firewall event if rule is fired

action : block

protocol :ip

direction:in/out

source address:network zone

zone:my wifi as set per under wifi network connection status and checking the the ipv4 address, then going to network zone and selecting ipv4 single address then entering the wifi address and finished , a network zone

destination address:

exclude

type :single ipv4

airvpn server ip currently in use

ip details:

ip protocol:any

used this screenshot as reference:

https://airvpn.org/media/kunena/attachments/46575/globalsettings.png

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...