Staff 9972 Posted ... Hello!Previous thread on Windows and Comodo to prevent DNS leaks and leaks in case of unexpected VPN disconnection have become very big and detailed. We invite you to consult those threads for details and support, while we publish this message as a quick, clarifying overview of the essential steps.Please note that if you don't use Windows you don't need to read this post. If you use Windows and a firewall other than Comodo, you can anyway take these rules as an example and adapt them to your firewall.This is a minimal set of instructions to prevent any leak in case of unexpected VPN disconnection and prevent, in any case, DNS leaks, on Windows system with Comodo firewall. Comodo firewall is currently the only firewall we recommend for Windows. The free version is just fine for our purposes.Never rename the rules: in case you need support, we need to see what the rules really state.1) If you're not familiar with a firewall, read Comodo Firewall manual or guides. In particular, please see the following:https://help.comodo.com/topic-72-1-451-4773-global-rules.htmlhttps://help.comodo.com/topic-72-1-451-4884-Network-Zones.html2) Install Comodo Personal Firewall free version available here: https://personalfirewall.comodo.com/3) Set the Firewall Security Level to "Custom Policy" 4) Determine or create the Network Zone of your TAP-Win32 network adapter (from now on "AirVPN"). A safe way to define it: IP Range [10.1.0.0 - 10.255.255.255] if you need OpenVPN over SSH/SSL and other alternative connection modes, see also https://airvpn.org/specs 5) Determine the entry-IP addresses of the AirVPN server(s) you wish to connect to: https://airvpn.org/topic/14378-how-can-i-get-vpn-servers-entry-ip-addresses6) Define a "Global Rule" which blocks everything:Block And Log IP In/Out From MAC Any To MAC Any Where Protocol Is AnyThe logging is important for troubleshooting if necessary.7) Put the above Global Rule in the top position. This will block completely your connectivity and let you add a whitelist of Allow global rules put BEFORE this total block global rule. All the "Allow" rules that you want to be evaluated shall be put BEFORE (i.e. higher than) the above block rule.8) Define a"Global" rule which allows in/out communications of your TAP-Win32 adapter ("AirVPN") both In and Out:Allow IP In/Out From In [AirVPN] To MAC Any Where Protocol Is AnyAllow IP In/Out From MAC Any To In [AirVPN] Where Protocol Is Any9) Do the same for your loopback zone (IP range 127.0.0.1 - 127.255.255.254)Allow IP In/Out From In [Loopback Zone] to MAC Any Where Protocol Is AnyAllow IP In/Out From MAC Any To In [Loopback Zone] Where Protocol Is Any10) Do the same for any entry-IP address of the VPN servers you wish to connect to. For example for Leporis:Allow TCP or UDP In/Out From IP 95.211.191.33 To MAC Any Where Source Port Is Any And Destination Port Is AnyAllow TCP or UDP In/Out From MAC Any To IP 95.211.191.33 Where Source Port Is Any And Destination Port Is AnyFor your comfort, you might define a Network Zone (for example [Air servers entry IPs]) containing only the entry-IP addresses of our servers and then set two rules likeAllow TCP or UDP In/Out From In [Air servers entry IPs] To MAC Any Where Source Port Is Any And Destination Port Is AnyAllow TCP or UDP In/Out From MAC Any To In [Air servers entry IPs] Where Source Port Is Any And Destination Port Is AnyIn this way, you will only need to add a single IPv4 address to that Network Zone in order to connect to a new server, instead of defining two additional rules for each server, which may be annoying if you switch between a lot of servers.11) Add similar rules to allow communications of your device with your router (and within your home/office network, if you wish so). For example, if your network is [192.168.0.0 / 255.255.0.0] define a network zone with IP Range [192.168.0.0 - 192.168.255.255] (let's call it "Home Network") and set the following rules:Allow TCP In/Out From In [Home Network] To In [Home Network] Where Source Port Is Any And Destination Port Is AnyAllow UDP In/Out From In [Home Network] To In [Home Network] Where Source Port Is Any And Destination Port Is Not 53Allow ICMP In/Out From In [Home Network] To In [Home Network] Where ICMP Message Is Any11a) Allow DHCP "negotiation":Allow IP In/Out From MAC Any To IP 255.255.255.255 Where Protocol Is Any 12) In order to allow "airvpn.org" resolution even when disconnected (and any other hostname you wish to be resolved even when VPN is disconnected), add to your hosts file the line:95.211.138.143 airvpn.orgDo not forget about this change! If we change our main frontend IP address, you will not be able to reach airvpn.org anymore until you remove that line. No more necessary starting with Air client edition 2 "Eddie".13) If you use the Air client, add rules to allow communications with IP addresses 5.196.64.52 and 95.211.138.143 (two of our frontend servers), In and OutAllow TCP or UDP In/Out From IP 5.196.64.52 To MAC Any Where Source Port Is Any And Destination Port Is AnyAllow TCP or UDP In/Out From MAC Any To IP 5.196.64.52 Where Source Port Is Any And Destination Port Is AnyAllow TCP or UDP In/Out From IP 95.211.138.143 To MAC Any Where Source Port Is Any And Destination Port Is AnyAllow TCP or UDP In/Out From MAC Any To IP 95.211.138.143 Where Source Port Is Any And Destination Port Is Any14) You can progressively enlarge your whitelist just by adding "Allow" rules before the total blocking rule of point 6) according to your system needs.Keep in mind that there are literally dozens of ways to accomplish the same task with Comodo.Pay attention not to confuse the "-" symbol, which stands for "IP range", with the "/" symbol, which stands for IP address / NetMask. For example, [10.4.0.0 - 10.9.255.255] is correct (the IP range from 10.4.0.0 to 10.9.255.255), while [10.4.0.0 / 10.9.255.255] is NOT correct (IP 10.4.0.0 NetMask 10.9.255.255, which covers almost every existing IP address!).When you have defined all the rules, do not forget to click "Apply" and "OK" in order to store them and make them active for any new connection. Test everything and do not be afraid to experiment before you rely on the secured connection for sensitive data transmissions.Kind regards 1 Fisitaedar reacted to this Share this post Link to post
Staff 9972 Posted ... Hello! If you have any problem, please submit a help request with the "Contact us" form, attaching the following data: - your network zones - your global rules - your application rules - Comodo Firewall events logs - your client logs Kind regards 1 asianwomenyjf reacted to this Share this post Link to post