How-to Block non-VPN internet on Windows with Windows Firewall Control

[Viaica 2]

In one previous thread long time ago I ended up using basic Windows Firewall to only allow internet access to VPN and block everything else. The problem with this approach was that Windows will detect attempts to restrict it and will disable or create new firewall rules to circumvent any user made restrictions. Solution to this I have found to be Windows Firewall Control by Binisoft/MalwareBytes which is like an advanced frontend to Windows Firewall.

Don't try this if you don't know what you are doing. The end result is a Windows which can only connect online by a VPN. (Of course you can make exception rules or disable the whole firewall if needed :)) The main purpose of this is securing Windows with a tinfoil hat attitude and preventing leaks. I also recommend using a router to only allow access to whitelisted VPN IPs for your workstations.
Use case scenario here is that your Home network is your own trusted local network and not a public Wifi or similar, as setting your network to Private profile makes the PC discoverable. Although this might be countered with settings, like disabling sharing etc, and firewall rules if needed but it's not for this guide. (I think countering this could be as easy as changing WFC Private Inbound rules from Allow to Block)

The logic is to constrict access to Home/Private location so that only Eddie is allowed to connect to outer internet through Private network.

Basic network and firewall settings
So I've set my Home network as a Private network profile and Eddie as a Public network profile, really important step. Easiest way to see them both is Network and Sharing Center in Control Panel. Home network's profile can be changed in Windows 11 Settings -> Network & internet -> Properties. Both of them can be changed with Group policy

gpedit.msc -> Computer Configuration -> Windows Settings -> Security Setting -> Network List Manager Policies -> Eddie / Network -> Properties -> Network Location

There is also an option there for "User cannot change location" which I have set for both networks just in case after setting the correct locations.

Other ways to change the network location are with PowerShell, Registry Editor or Local Security Policy
https://www.elevenforum.com/t/change-network-location-to-private-public-or-domain-in-windows-11.955/


In Windows Defender Firewall with Advanced Security -> Windows Defender Firewall Properties I've blocked Inbound and Outbound connections that do not match a firewall rule for both Private and Public Profiles (and Domain but I don't use it). Also an important step.
A less strict version would Allow Outbound in Public Profile as is the default. You would then not need separate outbound rules for each program for Public network, and the most crucial thing would still remain which is limiting the access to Private. I don't use this myself so I cannot guarantee anything, I like restricting applications' access to the internet 🤭





Windows Firewall Control
Now to Windows Firewall Control. When first installing it, I believe it will offer to make a backup of your firewall rules which is recommended, it will then create it's own set of firewall rules which are needed for basic internet and these can be used to replace Windows' default rules.

In WFC settings Rules I have UNCHECKED "Private" so that new firewall rules are not applied for the Private location. (You can also uncheck Domain if needed or not used). If you already made new rules with WFC before unchecking this you can either delete them or uncheck Private location from them rule by rule.

In WFC settings Security I have checked "Secure Profile", which protects the firewall from external tampering (by even Windows itself I believe). And checked "Secure Rules" so that unauthorized rules are Deleted (even rules made by Windows). In the authorized group I have made "MyRules" group but it's not mandatory per se as you can also set your own rules in the already authorized "Windows Firewall Control" group. BUT BE WARNED, after this all of your old firewall rules will be deleted. So if you have really important rules go and change their group to an authorized one like "MyRules". For regular application rules this is not recommended as new secure rules will be created. Also if you have old firewall Allow rules you want to preserve it's good idea to uncheck Private location from them if they are not needed in LAN.
I also have "Secure Boot" enabled and will change the profile to Medium Filtering from the tray icon on boot after Eddie has launched with network lock on. It's just a safety measure.



Eddie
Next step is to make rules for Eddie. You can either have one rule for "eddie-ui.exe" in which you allow it for Private and Public without any IP restrictions. Or to be more secure you can make two rules, one for Private where you limit the connection only for the Airvpn Bootstrap IP's (you can find the IPs in the firewall log). You can also set your local IP address, protocols, ports, interface to have more restrictions.
Then make a duplicate rule for eddie-ui.exe with location Public. I have not made any IP restrictions for this as it's only for Public connections.

"eddie-cli-elevated.exe" needs a similar rule, it's the process that connects to the VPN servers so you can limit it to apply only for the remote IPs of the servers you use if you want. But the location must be set to Private, there is no need for a Public rule.
(If you sometimes have to use like a public wifi so that both of the networks, Wifi and Eddie, are Public profiles, you could make a duplicate of this rule and set the location to Public to not block Eddie from making connections. Of course all the leakproofing made by these firewall rules are moot in a situation like that and it's all on Eddie's Network lock then. But once you are back on your Home network the rules would still work).



Notes and important fine tuning
These were the basic steps, the way I did it was I removed all the old and default firewall rules (but had made a backup!) and only kept the ones WFC creates at the start. Then made all new rules for my applications with WFC on Medium filtering and notifications on. All new rules will be created only for Public (and Domain if checked) locations, as per settings, so programs wont "leak" to your Private network.

One important modification that needs to be done is for the default rules which WFC creates as they are too permissive in this case. They allow Windows components etc. in Private location, so Windows can still phone home. So go through the rules and uncheck Private for all that you dare.
I have only left few WFC rules the access to Private and those are the ones that have "LocalSubnet" as their Remote address, and they are not allowed in Public. The rules are for File and Printer sharing and Network Discovery, picture related. And if you did preserve or import any of your old Allow rules I advise going through them the same way.

The only WFC rules I have allowed to access Private. For the rest of the WFC rules Private has has been unchecked.

DHCP
If you have not set a manual static IP for your home network, DHCP is then needed in Private to have basic connectivity. WFC has it's own rule "WFC - Core Networking - Dynamic Host Configuration Protocol (DHCP-Out)" which can be edited, or a new rule can be created from the WFC log of Blocked connections. The rule is not needed when a static IP is in place which I always prefer.


Extra settings
Of course some applications have to be allowed in Private as you might have LAN or similar needs. You can always create separate rules in which you allow access for a program only to Private and limit it to Local / Remote IPs. For example a separate rule for "firefox.exe" in location Private but only "192.168.1.1" as it's Remote address and "80,443" as Remote ports to access your router's admin panel.
Or to allow ping on LAN: inbound and outbound rules for "System" in Private but only on addresses "192.168.1.0/255.255.255.0" and protocol as ICMPv4. (You can duplicate the existing WFC ping rules and make the changes).

Sometimes you might need an external application to create firewall rules (like with some privacy tools). You can then temporarily set the Secure Rules to "Disable unauthorized rules". Then create the rules in the external program, find the new disabled rules in WFC, set them in an authorized group, enable them and restore the Secure Rules as it was. Just be careful not to create unneeded allow rules in Private this way.

In WFC Notifications settings you can block notifications for the certain programs which will repeatedly prompt you as the rules block them. For example eddie-ui.exe might prompt you every time you re/disconnect as it fails to connect online for awhile, so the exe can be added to the "Notifications exceptions list" after you have made all the necessary rules for it.
But before adding anything to Notification exclusion list check in the notification prompt that the path of the exe has not changed, because for some programs the version number of the application is included in it's installation path, so they will require a new rule each time the version changes. There is no way to make a wildcard for paths in rules and you don't want to accidentally end up blocking things you didn't mean to. For example every time I use Windows Store, which I never really do, WFC will prompt for a new rule because the path is different than last time eg. "C:\program files\windowsapps\microsoft.windowsstore_22410.1401.2.0_x64__8wekyb3d8bbwe\winstore.app.exe"
The exceptions can be for the full path or only for the name of the process.

You can also disable the notifications for Windows Firewall so they wont bother you, as WFC has it's own notifications. qBittorrent causes these firewall prompts for me sometimes even when I've set it only use the Eddie interface.
First you have to temporarily disable Secure Profile in WFC's Security settings. Then head to either Windows Settings or Control Panel to disable the notifications. After that enable Secure Profile once again in WFC.

Windows Settings > Firewall & network protection > Firewall notification settings > Manage notifications > Notify me when Microsoft Defender Firewall blocks a new app > Off
Control Panel\All Control Panel Items\Windows Defender Firewall > Change notification settings -> "Notify me when Microsoft Defender Firewall blocks a new app" Uncheck for all profiles

As a safety measure when updating WFC, disconnect internet before running the setup.

DNS

One last thing you might want to do is setting your physical network adapter's DNS server to be the static IP of AirVPNs internal DNS 10.128.0.1. Doing this will make DNS requests fail when not connected to AirVPN even when the firewall is disabled, which in this user case is a good thing. It will also prevent your ISP DNS from potentially showing up.
The IP must be set when Eddie is not connected and it is for the physical adapter not for the adapter Eddie.
Windows 11 Settings -> Network & internet -> Ethernet (or wifi) -> Properties
or Control Panel\Network and Internet\Network Connections\Ethernet (or Wifi) -> Properties -> Internet Protocol Version 4 > Properties
For IPv6 the similar address is fd7d:76ee:e68f:a993::1

Circumventing the restrictions
Sometimes you might have to use your real non-VPN IP on the same machine, but it would be unwise to disable the firewall or to make any unsafe changes. Circumventing the restrictions can be achieved with a virtual machine instead.
Virtualbox by default will use NAT-mode for the virtual machine's network adapter in which the VM will use the same connection as the host, but changing this to Bridged Adapter mode for the VM makes the VM use the physical network adapter of the PC and get it's own LAN IP from the router.
As simple as that, no need for any advanced firewall rules, everything you do in the VM will use your real IP when attached to Bridged Adapter. I usually prefer some light basic Linux distro like Xubuntu for stuff like this.

If you instead need to use your real IP on the Windows host machine itself without allowing Windows system to use the IP, one way it can be done is by ssh LAN proxy. (But this is also riskier approach as it may leave traces of your real IP on Windows compared to keeping everything inside a VM).
Let's say the LAN IP for the Bridged Adapter mode VM is 192.168.1.10. First install openssh if needed on the VM, then run on the Linux terminal (it can be any open port, I just typed something):

ssh -N -D 192.168.1.10:3473 localhost 

Now there is a SOCKS5 proxy running on LAN.
You could then for example have a completely separate browser (in a permanent private browsing mode) on the Windows host machine and have it use SOCKS5 proxy on 192.168.1.10:3473 in it's settings, the browser would then use your real naked IP from the VM for everything.
Or use an add-on like FoxyProxy for Firefox which lets you make site-based rules for proxies. So you could have a rule for "BankingSiteWhichBlocksVPNs.com" to use the proxy for only that specific website.
In these cases there would have to be a firewall rule in WFC because the browser is now accessing Private network. It would be an outbound rule for firefox.exe in location Private with 192.168.1.10 as the remote address and 3473 as the remote port.

 

[OpenSourcerer 1442]

This Windows Firewall Control for Windows feels akin to ufw for Linux – except that it's closed source. A small heads-up seems appropriate to point it out to potential users.
A little bit more editing to give this a more guiding character will do wonders for readability. And once a few successful testers make themselves known, this can mature to another worthy guide. Thank you for your work and time.

[Viaica 2]

Made some fixes and additions, added headlines and a bit about DNS.
And added a picture of the WFC Private rules.

[drum 6]

Great introduction/tutorial for WFC, I've been using it paired with Eddie since the times it was shareware.
 

[Viaica 2]

Hopefully my last edit. Added about DHCP needing it's own allow rule if used, it didn't occur to me before as I'm too used to static IPs 😁

Lastly an edit on how to circumvent these restrictions if needed with a couple of ways using a virtual machine.

Edited ... by Viaica