Permanent Kill Switch for Eddie Client

[Daniel2025 0]

Hello,

I am using Windows 10 Pro, and the Eddie client works well on my system. However, I’ve noticed that the kill switch (network lock) is only active when Eddie is running. I have already configured Eddie to start automatically with Windows, but there is still a brief moment during startup when my computer is online with its real IP address. This is a problem for me.

I want to ensure that my computer never goes online with its real IP. Additionally, when I restart or reboot my computer, I have to manually close Eddie, and during this process, my real IP is exposed again.

Is there a way to fix this issue? For example, Mullvad has a lockdown mode that prevents the computer from accessing the internet without an active VPN connection. However, I would prefer to stay with AirVPN because of its many other advantages.

It is very important to me that my computer never connects to the internet without the VPN. Is there a way to achieve this with Eddie? Or would it be possible for you to add a feature to Eddie that ensures a permanent network lock, even before the client starts?

Best regards,

[drum 6]

I'm using the free WFC with Secure Boot enabled to achieve what you asked.
Secure Boot: Automatically set High Filtering profile at system shut down. At Windows start-up, all network connections will be blocked until the user manually changes the profile.
At system start-up all traffic is blocked, AirVPN also starts automatically, it enables Network Lock per configuration but can't connect until i manually change WFC profile to, in my case, Medium Filtering.

Take a look at Viaica review of this app:

 

[Daniel2025 0]

OK, thanks, but this only resolves the issue during startup or after a restart. However, before shutting down Windows, I need to manually close Eddie. This also disables the Network Lock, causing my computer to briefly connect to the internet with its real IP and without a VPN for a few seconds or minutes. 

 

[Staff 10297]

1 hour ago, Daniel2025 said:

OK, thanks, but this only resolves the issue during startup or after a restart. However, before shutting down Windows, I need to manually close Eddie. This also disables the Network Lock, causing my computer to briefly connect to the internet with its real IP and without a VPN for a few seconds or minutes. 

Hello!

You need to set permanent Windows Filtering Platform rules that block outgoing traffic, except traffic to the local network and for DHCP purposes. In this way when Network Lock disengages the block "all traffic" rules are restored. When Network Lock is engaged the new rules enforced by Eddie will allow Internet communications to the VPN servers only.

Kind regards
 

[drum 6]

2 hours ago, Daniel2025 said:

OK, thanks, but this only resolves the issue during startup or after a restart. However, before shutting down Windows, I need to manually close Eddie. This also disables the Network Lock, causing my computer to briefly connect to the internet with its real IP and without a VPN for a few seconds or minutes. 

 

Thats's easy! Set WFC to "High Filtering" profile before manually closing Eddie.

[rkp 1]

I set permanent Windows Filtering Platform rules that block outgoing traffic, except traffic to the local network and for DHCP purposes.But now of course no connection to AirVPN is possible. How to deal with this? 

[Staff 10297]

16 hours ago, rkp said:

I set permanent Windows Filtering Platform rules that block outgoing traffic, except traffic to the local network and for DHCP purposes.But now of course no connection to AirVPN is possible. How to deal with this? 

Hello!

Already explained in the previous post: enable Network Lock to allow connections to AirVPN infrastructure.

Kind regards
 

[Viaica 5]

On 4/4/2025 at 7:18 PM, drum said:

I'm using the free WFC with Secure Boot enabled to achieve what you asked.
Secure Boot: Automatically set High Filtering profile at system shut down. At Windows start-up, all network connections will be blocked until the user manually changes the profile.
At system start-up all traffic is blocked, AirVPN also starts automatically, it enables Network Lock per configuration but can't connect until i manually change WFC profile to, in my case, Medium Filtering.

Take a look at Viaica review of this app:

 

There lies a "danger" in only using Secure Boot without creating the types of rules I explain in the thread. Secure Boot is set on shutdown, so if the PC crashes for example, the next boot will be with your regular filtering profile. But that doesn't matter if the firewall rules are set to block all but AirVPN IPs. 

[av942253 0]

On 4/6/2025 at 8:29 PM, Staff said:

You need to set permanent Windows Filtering Platform rules that block outgoing traffic, except traffic to the local network and for DHCP purposes.

I am also interested in this, but I didn't get it working. Could you please provide more details on how to set it up? A few snippets for the Powershell would be very helpful. Allowing DHCP traffic out, seems to be an default rule with Windows 10.

[Staff 10297]

On 6/11/2025 at 8:31 PM, av942253 said:

On 4/6/2025 at 8:29 PM, Staff said:

You need to set permanent Windows Filtering Platform rules that block outgoing traffic, except traffic to the local network and for DHCP purposes.

I am also interested in this, but I didn't get it working. Could you please provide more details on how to set it up? A few snippets for the Powershell would be very helpful. Allowing DHCP traffic out, seems to be an default rule with Windows 10.

Hello!

Something like this will do the trick, starting from a clean status and Windows Firewall enabled. Make sure you operate from a Powershell with administrator privileges. The rules will survive at reboot. You must adjust your local network address/netmask (change 192.168.0.0/16 and fe80::/10 if necessary). Do not proceed if you don't understand exactly every single command; instead, get documented first.
 

netsh advfirewall firewall add rule name="Allow DHCPv4" protocol=UDP dir=out localport=67,68 action=allow
netsh advfirewall firewall add rule name="Allow DHCPv6" protocol=UDP dir=out localport=546,547 action=allow
netsh advfirewall firewall add rule name="Allow Local IPv4 Network" protocol=TCP dir=out remoteip=192.168.0.0/16 action=allow
netsh advfirewall firewall add rule name="Allow Local IPv6 Network" protocol=TCP dir=out remoteip=fe80::/10 action=allow
netsh advfirewall firewall add rule name="Allow Localhost Outbound" dir=out action=allow remoteip=127.0.0.1
netsh advfirewall firewall add rule name="Block All Other Outbound Traffic" dir=out action=block protocol=any

You may also consider to backup the rules and enable them only when needed, instead of keeping them permanent. Check your system manual to do this.

Kind regard
 

[av942253 0]

10 hours ago, Staff said:

 

netsh advfirewall set allprofiles firewallpolicy blockoutbound
netsh advfirewall firewall add rule name="Allow DHCPv4" protocol=UDP dir=out localport=67,68 action=allow
netsh advfirewall firewall add rule name="Allow DHCPv6" protocol=UDP dir=out localport=546,547 action=allow
netsh advfirewall firewall add rule name="Allow Local IPv4 Network" protocol=TCP dir=out remoteip=192.168.0.0/16 action=allow
netsh advfirewall firewall add rule name="Allow Local IPv6 Network" protocol=TCP dir=out remoteip=fe80::/10 action=allow

Thanks. I was already pretty close to that. Still it doesn't work. Network Lock from Eddie is on. It can't make the handshake connection to peer. Eddie Network Lock doesn't seem to add any rules to

netsh.exe advfirewall firewall show rule name=all

Looking a bit into the Eddie source code for Windows, there should be plenty of entries done by Network Lock. They should start with NetLock (e.g.: "NetLock - In - Block All") or Eddie (e.g.: "Eddie - Out - Program Eddie"). But of course I only have limited understanding of the source code.

I guess it is missing a rule that allows Eddie either to connect to the IP of the server or the port of the protocol or allows all connections for Eddie. Could you please check again what is missing and why the rules set by Eddie don't show up? I already tried it on two machines with no luck and one was a fresh install.
 

[Daniel2025 0]

Hello,

I’d like to suggest a feature for the Eddie client: a true permanent network lock (kill switch) on Windows that ensures the system can never come online with its real IP, not even briefly during boot, crashes, or if the Eddie client is closed manually.

I’m the original poster of this thread, and I’ve spent quite a bit of time researching this topic. I now understand the reasoning behind Eddie’s current behavior: the firewall rules only apply while the client is running, to avoid locking users out or breaking system connectivity. That makes sense — but it still leaves a privacy gap that many users would prefer to close permanently.

I’ve looked into solutions like using Windows Filtering Platform (WFP) rules or manual firewall configurations, but I wasn't able to create a setup that’s both secure and reliable. I'm not a beginner, but I'm also not confident enough to enforce such permanent restrictions without risking accidental lockouts or leaks due to misconfiguration.

Many users – especially those who value privacy – would greatly benefit from a built-in, persistent kill switch, similar to how Mullvad has implemented it in their Windows client. It's extremely effective and survives reboots or unexpected crashes. I’d love to see something similar in AirVPN, which I consider superior in nearly every other regard: server quality, privacy philosophy and transparency.

To show how much I care about this feature, I’m even willing to donate €100 toward its development. I know it's not a large sum, but I believe others would support it too. This kind of functionality would make AirVPN even more attractive to security-conscious users on Windows.

Is there any chance this could be added in a future version of Eddie?
Even an optional advanced setting or a supported script/tool would be a great step forward.

Thank you for your continued excellent work and for your strong commitment to online privacy.

Best regards,

[drum 6]

At this point, as an alternative, perhaps it may be worth for you to look for hardware (if you use cable) solutions like:

amazon.com / Internet-CUT-OFF-Kill-Switch/dp/B00RQVFHZ4/   (remove spaces)

[Staff 10297]

On 7/12/2025 at 12:01 PM, Daniel2025 said:

the system can never come online with its real IP, not even briefly during boot, crashes

Hello!

Please note that if Eddie crashes no leak occurs because Network Lock is a set of firewall rules.

Kind regards
 

[Daniel2025 0]

You're right, but my real IP gets leaked either when the computer boots or when I manually close Eddie. 😟
Is there no way to add a feature to Eddie that can enable a permanent kill switch? 😊

[Staff 10297]

3 hours ago, Daniel2025 said:

You're right, but my real IP gets leaked either when the computer boots or when I manually close Eddie. 😟
Is there no way to add a feature to Eddie that can enable a permanent kill switch? 😊

Hello!

No, by design: it is intentional. If you need a permanent (surviving reboots) set of rules blocking all traffic (so that by running Eddie and enabling Network Lock you can unblock traffic to the AirVPN servers only) then you must enter the rules yourself, according to the firewall you run on your machine.

Kind regards
 

[Daniel2025 0]

Can you please write a easy manual for Windows 11 for the explicit firewall settings that have to be set? Im not a computer expert and want so to do it step by step with a manual. I tried chatgpt but the manual was not correct Could you please write a simple step-by-step manual for configuring explicit firewall settings in Windows 11? I'm not a computer expert, so I need clear instructions I can follow easily. I previously tried using ChatGPT, but the manual it gave me wasn’t accurate

[Sanctioner 3]

I currently run a linux firewall without eddie and just use openvpn client.  here is what i did to protect against dns leaks and maintain privacy.  i don't use windows because of privacy concerns so i don't know how well this translates.  assuming you have a layer 3/4 firewall, you can try this.

the network:
set the interface to start disabled on bootup.  this is not necessary, but will work if you're firewall is not default.  then you can set your firewall before the interface is open.  nothing can leak during boot because the interface did not come up.

in the firewall:

• set policy to block on input (inbound), output, and forward (or whatever windows equivalent is).  this should be the default action in case there are no specific rules to catch particular traffic.  setting this means nothing passes the firewall unless you explicitly allow it.
• set all rules with tracking (ct state), such that no inbound traffic is allowed unless it is a response from a request you sent out.  only exception is icmp and other network diagnostic protocols like traceroute, which in my opinion should be open.  icmpv6 should be selectively open since it also does network setup.
• log all blocked traffic

on the physical interface:

• open source and destination port 67/68, udp, inbound and outbound so your ISP can give you an IP.  configure your client to not accept the dns it will give you.
• open destination upd port 53 or 853 only for specific IPs, typically a public DNS that advertises no logs.  this is your fall back in case vpn drops or if you connect to vpn using a domain name.  your ISP will see this traffic, but it will not be destined to your ISP DNS.  it will pass through and go to the server you specify.  i am not yet convinced encrypted dns actually hides your dns, but i would consult with a network admin.
• open destination tcp/udp port 1194 (or whatever port you are using for VPN).  Do not use port 443 for VPN as that is the same port for https website traffic.

Note: broadly speaking, destination port 53 and 853 will not be open, blocking dns leaks.  this is permanent
i used to have to open port 80 for AirVPN IPs to make the initial connection, but I don't see this in my firewall anymore, so it may not be necessary.  if you see this in your firewall logs when attempting a vpn connection, apply this rule in the same format as above, but make sure it is limited to only just the AirVPN IPs as this would otherwise allow normal website traffic.

on the tunnel interface:

• open source and destination port 67/68, udp, inbound and outbound so Airvpn can give you an IP.  you can use AirVPN dns, or create a rule to use the public dns of your choice like on the physical interface.
• open destination port 53 outbound on the 10/8 IP range, or if you have a way to limit it to just the DNS that you get with VPN, that'll work.  (AirVPN will give you an IP starting with 10.)
• open destination port ntp outbound on the 10/8 IP range (to keep the time accurate on your devices)
• open destination tcp port 80,443 outbound, for website traffic.  8443 for websockets if you use things like chat/voice on a website app like discord.
• Ongoing: open any other ports you may be using, such as Steam IPs.  Check your firewall logs any time something doesn't work, and add those ports.  exhibit discernment about whether to open a port, as you may see crap trying to leak out of your network, not just dns.  this is expected and is keeping your stuff private.
• speedtest sites like to use port 8080, so open destination port 8080 (ct state new) if you want to test your speed, and on inbound, open source port 8080 (ct state established)

Note: broadly speaking, destination port 53 and 853 will not be open, blocking dns leaks.  this is permanent

Extra Notes:

• starting or stopping your vpn will not change any firewall rules.
• you will not have access to websites unless vpn is up.
• this will not work if you're using port 443 for your tunnel.  the tunnel port and website port needs to be different.  in some countries, this may not be possible.
• for every outbound destination port (ct state new) opened, there should be a corresponding inbound source port (ct state established) opened as well.  traffic is 2 way, outgoing request, incoming response
• this may not be comprehensive.  my firewall has a lot more rules and i may have missed something.  view your firewall logs to see what is being blocked, and see whether you need to open it. This should absolve the need for a network lock, and maintain privacy during bootup and anytime eddie is not running.
• check your firewall logs for traffic on port 53 over the wan interface.  these will be dns leaks you prevented.

A quick note about windows:

• Microsoft overrides the hosts files and looks for various microsoft domains it uses for telemetry gathering.  it will ignore these rules.  this means the standards government hosts files are no longer being followed.  this is a violation of long standing networking standards and causes people to reduce trust in the rest of the windows network setup.  because of this, you should no longer trust that your firewall will not be overridden by Windows and allow dns traffic through even if you explicitly blocked it.
• Microsoft has admitted to running a keylogger since Windows 10.  i mean ... my god.
• linux has come a long way in usability.  you no longer have to be a hacker to run it well.  i would make an attempt to convert to linux.  it has been 30 years since computers were around.  it is no longer acceptable to be computer-illiterate.  old world literacy means you know how to use a feather quill pen.  modern literacy means you know how to work your way around a computer.  know the tool you use to communicate.  linux is a different paradigm, but it is still just a computer.

It would be great if somewhere on this site is pinned exact instructions for windows.  it will help those concerned and those who don't yet know they should be.
for anyone knowledgeable enough, please feel free to correct any of this if it is incorrect.  share the knowledge!  i don't frequent this site.  admins have permission to edit this.

-s

[Sanctioner 3]

On 7/24/2025 at 8:55 AM, Daniel2025 said:

Can you please write a easy manual for Windows 11 for the explicit firewall settings that have to be set? Im not a computer expert and want so to do it step by step with a manual. I tried chatgpt but the manual was not correct Could you please write a simple step-by-step manual for configuring explicit firewall settings in Windows 11? I'm not a computer expert, so I need clear instructions I can follow easily. I previously tried using ChatGPT, but the manual it gave me wasn’t accurate

with the right prompts, you can probably get chatgpt to answer it well.  you will have to be familiar with the vernacular for this profession to get the best results.  be very specific. say something like this:
 

Quote

as a network admin, using windows 11, generate the commands i can type into a command line to block all traffic by policy, then generate inbound and outbound rules to allow dhcp traffic over physical interface, allow udp port 53 only for these IPs (x.x.x.x, x.x.x.x) over physical interface, allow udp,tcp port 1194 traffic over physical interface, allow tcp port 80,443 traffic over tunnel interface.

type anything else you want to add.  it might know how to use the UI instead of command line too, if you ask it.