How-to Block non-VPN internet on Windows with Windows Firewall Control

[Viaica 2]

In one previous thread long time ago I ended up using basic Windows Firewall to only allow internet access to VPN and block everything else. The problem with this approach was that Windows will detect attempts to restrict it and will disable or create new firewall rules to circumvent any user made restrictions. Solution to this I have found to be Windows Firewall Control by Binisoft/MalwareBytes which is like an advanced frontend to Windows Firewall.

Don't try this if you don't know what you are doing. The end result is a Windows which can only connect online by a VPN. (Of course you can make exception rules or disable the whole firewall if needed :)) The main purpose of this is securing Windows with a tinfoil hat attitude and preventing leaks. I also recommend using a router to only allow access to whitelisted VPN IPs for your workstations.
Use case scenario here is that your Home network is your own trusted local network and not a public Wifi or similar, as setting your network to Private profile makes the PC discoverable. Although this might be countered with settings, like disabling sharing etc, and firewall rules if needed but it's not for this guide.
The logic is to constrict access to Home/Private location so that only Eddie is allowed to connect to outer internet through Private network.

Basic network and firewall settings
So I've set my Home network as a Private network profile and Eddie as a Public network profile, really important step. Easiest way to see them both is Network and Sharing Center in Control Panel. Home network's profile can be changed in Windows 11 Settings -> Network & internet -> Properties. Both of them can be changed with Group policy

gpedit.msc -> Computer Configuration -> Windows Settings -> Security Setting -> Network List Manager Policies -> Eddie / Network -> Properties -> Network Location

There is also an option there for "User cannot change location" which I have set for both networks just in case after setting the correct locations.

In Windows Defender Firewall with Advanced Security -> Windows Defender Firewall Properties I've blocked Inbound and Outbound connections that do not match a firewall rule for both Private and Public Profiles (and Domain but I don't use it). Also an important step.




Windows Firewall Control
Now to Windows Firewall Control. When first installing it, I believe it will offer to make a backup of your firewall rules which is recommended, it will then create it's own set of firewall rules which are needed for basic internet and these can be used to replace Windows' default rules.

In WFC settings Rules I have UNCHECKED "Private" so that new firewall rules are not applied for the Private location. (You can also uncheck Domain if needed or not used). If you already made new rules with WFC before unchecking this you can either delete them or uncheck Private location from them rule by rule.

In WFC settings Security I have checked "Secure Profile", which protects the firewall from external tampering (by even Windows itself I believe). And checked "Secure Rules" so that unauthorized rules are Deleted (even rules made by Windows). In the authorized group I have made "MyRules" group but it's not mandatory per se as you can also set your own rules in the already authorized "Windows Firewall Control" group. BUT BE WARNED, after this all of your old firewall rules will be deleted. So if you have really important rules go and change their group to an authorized one like "MyRules". For regular application rules this is not recommended as new secure rules will be created. Also if you have old firewall Allow rules you want to preserve it's good idea to uncheck Private location from them if they are not needed in LAN.
I also have "Secure Boot" enabled and will change the profile to Medium Filtering from the tray icon on boot after Eddie has launched with network lock on. It's just a safety measure.



Eddie
Next step is to make rules for Eddie. You can either have one rule for "eddie-ui.exe" in which you allow it for Private and Public without any IP restrictions. Or to be more secure you can make two rules, one for Private where you limit the connection only for the Airvpn Bootstrap IP's (you can find the IPs in the firewall log). You can also set your local IP address, protocols, ports, interface to have more restrictions.
Then make a duplicate rule for eddie-ui.exe with location Public. I have not made any IP restrictions for this as it's only for Public connections.
"eddie-cli-elevated.exe" needs a similar rule, it's the process that connects to the VPN servers so you can limit it to apply only for the remote IPs of the servers you use if you want. But the location must be set to Private, there is no need for a Public rule.



Notes and important fine tuning
These were the basic steps, the way I did it was I removed all the old and default firewall rules (but had made a backup!) and only kept the ones WFC creates at the start. Then made all new rules for my applications with WFC on Medium filtering and notifications on. All new rules will be created only for Public (and Domain if checked) locations, as per settings, so programs wont "leak" to your Private network.
Also one important thing is that the default rules which WFC creates are too permissive in this case as they allow Windows components etc. in Private location, so Windows can still phone home. So go through the rules and uncheck Private for all that you dare. I have only left few WFC rules the access to Private and those are the ones that have "LocalSubnet" as their Remote address, and they are not allowed in Public. The rules are for File and Printer sharing and Network Discovery. Picture related.

The only WFC rules I have allowed to access Private. For the rest of the WFC rules Private has has been unchecked.

Extra settings
Of course some applications have to be allowed in Private as you might have LAN or similar needs. You can always create separate rules in which you allow access for a program only to Private and limit it to Local / Remote IPs. For example a separate rule for "firefox.exe" in location Private but only "192.168.1.1" as it's Remote address to access your router's admin panel.
Or to allow ping on LAN: inbound and outbound rules for "System" in Private but only on addresses "192.168.1.0/255.255.255.0" and protocol as ICMPv4. (You can duplicate the existing WFC ping rules and make the changes).

Sometimes you might need an external application to create firewall rules (like with some privacy tools). You can then temporarily set the Secure Rules to "Disable unauthorized rules". Then create the rules in the external program, find the new disabled rules in WFC, set them in an authorized group, enable them and restore the Secure Rules as it was. Just be careful not to create unneeded allow rules in Private this way.

In WFC Notifications settings you can block notifications for the certain programs which will repeatedly prompt you as the rules block them. For example eddie-ui.exe might prompt you every time you re/disconnect as it fails to connect online for awhile, so the exe can be added to the Notifications exceptions list after you have made all the necessary rules for it.
As a safety measure when updating WFC, disconnect internet before running the setup.

DNS

One last thing you might want to do is setting your physical network adapter's DNS server to be the static IP of AirVPNs internal DNS 10.128.0.1. Doing this will make DNS requests fail when not connected to AirVPN even when the firewall is disabled, which in this user case is a good thing. It will also prevent your ISP DNS from potentially showing up.
The IP must be set when Eddie is not connected and it is for the physical adapter not the adapter Eddie.
Windows 11 Settings -> Network & internet -> Ethernet (or wifi) -> Properties
or Control Panel\Network and Internet\Network Connections\Ethernet (or Wifi) -> Properties -> Internet Protocol Version 4 > Properties
For IPv6 the similar address is fd7d:76ee:e68f:a993::1

 

 

[OpenSourcerer 1435]

This Windows Firewall Control for Windows feels akin to ufw for Linux – except that it's closed source. A small heads-up seems appropriate to point it out to potential users.
A little bit more editing to give this a more guiding character will do wonders for readability. And once a few successful testers make themselves known, this can mature to another worthy guide. Thank you for your work and time.

[Viaica 2]

Made some fixes and additions, added headlines and a bit about DNS.
And added a picture of the WFC Private rules.