Permanent Kill Switch for Eddie Client

[Daniel2025 0]

Hello,

I am using Windows 10 Pro, and the Eddie client works well on my system. However, I’ve noticed that the kill switch (network lock) is only active when Eddie is running. I have already configured Eddie to start automatically with Windows, but there is still a brief moment during startup when my computer is online with its real IP address. This is a problem for me.

I want to ensure that my computer never goes online with its real IP. Additionally, when I restart or reboot my computer, I have to manually close Eddie, and during this process, my real IP is exposed again.

Is there a way to fix this issue? For example, Mullvad has a lockdown mode that prevents the computer from accessing the internet without an active VPN connection. However, I would prefer to stay with AirVPN because of its many other advantages.

It is very important to me that my computer never connects to the internet without the VPN. Is there a way to achieve this with Eddie? Or would it be possible for you to add a feature to Eddie that ensures a permanent network lock, even before the client starts?

Best regards,

[drum 6]

I'm using the free WFC with Secure Boot enabled to achieve what you asked.
Secure Boot: Automatically set High Filtering profile at system shut down. At Windows start-up, all network connections will be blocked until the user manually changes the profile.
At system start-up all traffic is blocked, AirVPN also starts automatically, it enables Network Lock per configuration but can't connect until i manually change WFC profile to, in my case, Medium Filtering.

Take a look at Viaica review of this app:

 

[Daniel2025 0]

OK, thanks, but this only resolves the issue during startup or after a restart. However, before shutting down Windows, I need to manually close Eddie. This also disables the Network Lock, causing my computer to briefly connect to the internet with its real IP and without a VPN for a few seconds or minutes. 

 

[Staff 10204]

1 hour ago, Daniel2025 said:

OK, thanks, but this only resolves the issue during startup or after a restart. However, before shutting down Windows, I need to manually close Eddie. This also disables the Network Lock, causing my computer to briefly connect to the internet with its real IP and without a VPN for a few seconds or minutes. 

Hello!

You need to set permanent Windows Filtering Platform rules that block outgoing traffic, except traffic to the local network and for DHCP purposes. In this way when Network Lock disengages the block "all traffic" rules are restored. When Network Lock is engaged the new rules enforced by Eddie will allow Internet communications to the VPN servers only.

Kind regards
 

[drum 6]

2 hours ago, Daniel2025 said:

OK, thanks, but this only resolves the issue during startup or after a restart. However, before shutting down Windows, I need to manually close Eddie. This also disables the Network Lock, causing my computer to briefly connect to the internet with its real IP and without a VPN for a few seconds or minutes. 

 

Thats's easy! Set WFC to "High Filtering" profile before manually closing Eddie.

[rkp 1]

I set permanent Windows Filtering Platform rules that block outgoing traffic, except traffic to the local network and for DHCP purposes.But now of course no connection to AirVPN is possible. How to deal with this? 

[Staff 10204]

16 hours ago, rkp said:

I set permanent Windows Filtering Platform rules that block outgoing traffic, except traffic to the local network and for DHCP purposes.But now of course no connection to AirVPN is possible. How to deal with this? 

Hello!

Already explained in the previous post: enable Network Lock to allow connections to AirVPN infrastructure.

Kind regards
 

[Viaica 4]

On 4/4/2025 at 7:18 PM, drum said:

I'm using the free WFC with Secure Boot enabled to achieve what you asked.
Secure Boot: Automatically set High Filtering profile at system shut down. At Windows start-up, all network connections will be blocked until the user manually changes the profile.
At system start-up all traffic is blocked, AirVPN also starts automatically, it enables Network Lock per configuration but can't connect until i manually change WFC profile to, in my case, Medium Filtering.

Take a look at Viaica review of this app:

 

There lies a "danger" in only using Secure Boot without creating the types of rules I explain in the thread. Secure Boot is set on shutdown, so if the PC crashes for example, the next boot will be with your regular filtering profile. But that doesn't matter if the firewall rules are set to block all but AirVPN IPs. 

[av942253 0]

On 4/6/2025 at 8:29 PM, Staff said:

You need to set permanent Windows Filtering Platform rules that block outgoing traffic, except traffic to the local network and for DHCP purposes.

I am also interested in this, but I didn't get it working. Could you please provide more details on how to set it up? A few snippets for the Powershell would be very helpful. Allowing DHCP traffic out, seems to be an default rule with Windows 10.

[Staff 10204]

13 hours ago, av942253 said:

On 4/6/2025 at 8:29 PM, Staff said:

You need to set permanent Windows Filtering Platform rules that block outgoing traffic, except traffic to the local network and for DHCP purposes.

I am also interested in this, but I didn't get it working. Could you please provide more details on how to set it up? A few snippets for the Powershell would be very helpful. Allowing DHCP traffic out, seems to be an default rule with Windows 10.

Hello!

Something like this will do the trick, starting from a clean status and Windows Firewall enabled. Make sure you operate from a Powershell with administrator privileges. The rules will survive at reboot. You must adjust your local network address/netmask (change 192.168.0.0/16 and fe80::/10 if necessary). Do not proceed if you don't understand exactly every single command; instead, get documented first.
 

netsh advfirewall set allprofiles firewallpolicy blockoutbound
netsh advfirewall firewall add rule name="Allow DHCPv4" protocol=UDP dir=out localport=67,68 action=allow
netsh advfirewall firewall add rule name="Allow DHCPv6" protocol=UDP dir=out localport=546,547 action=allow
netsh advfirewall firewall add rule name="Allow Local IPv4 Network" protocol=TCP dir=out remoteip=192.168.0.0/16 action=allow
netsh advfirewall firewall add rule name="Allow Local IPv6 Network" protocol=TCP dir=out remoteip=fe80::/10 action=allow

You may also consider to backup the rules and enable them only when needed, instead of keeping them permanent. Check your system manual to do this.

Kind regard
 

[av942253 0]

10 hours ago, Staff said:

 

netsh advfirewall set allprofiles firewallpolicy blockoutbound
netsh advfirewall firewall add rule name="Allow DHCPv4" protocol=UDP dir=out localport=67,68 action=allow
netsh advfirewall firewall add rule name="Allow DHCPv6" protocol=UDP dir=out localport=546,547 action=allow
netsh advfirewall firewall add rule name="Allow Local IPv4 Network" protocol=TCP dir=out remoteip=192.168.0.0/16 action=allow
netsh advfirewall firewall add rule name="Allow Local IPv6 Network" protocol=TCP dir=out remoteip=fe80::/10 action=allow

Thanks. I was already pretty close to that. Still it doesn't work. Network Lock from Eddie is on. It can't make the handshake connection to peer. Eddie Network Lock doesn't seem to add any rules to

netsh.exe advfirewall firewall show rule name=all

Looking a bit into the Eddie source code for Windows, there should be plenty of entries done by Network Lock. They should start with NetLock (e.g.: "NetLock - In - Block All") or Eddie (e.g.: "Eddie - Out - Program Eddie"). But of course I only have limited understanding of the source code.

I guess it is missing a rule that allows Eddie either to connect to the IP of the server or the port of the protocol or allows all connections for Eddie. Could you please check again what is missing and why the rules set by Eddie don't show up? I already tried it on two machines with no luck and one was a fresh install.
 

[Daniel2025 0]

Hello,

I’d like to suggest a feature for the Eddie client: a true permanent network lock (kill switch) on Windows that ensures the system can never come online with its real IP, not even briefly during boot, crashes, or if the Eddie client is closed manually.

I’m the original poster of this thread, and I’ve spent quite a bit of time researching this topic. I now understand the reasoning behind Eddie’s current behavior: the firewall rules only apply while the client is running, to avoid locking users out or breaking system connectivity. That makes sense — but it still leaves a privacy gap that many users would prefer to close permanently.

I’ve looked into solutions like using Windows Filtering Platform (WFP) rules or manual firewall configurations, but I wasn't able to create a setup that’s both secure and reliable. I'm not a beginner, but I'm also not confident enough to enforce such permanent restrictions without risking accidental lockouts or leaks due to misconfiguration.

Many users – especially those who value privacy – would greatly benefit from a built-in, persistent kill switch, similar to how Mullvad has implemented it in their Windows client. It's extremely effective and survives reboots or unexpected crashes. I’d love to see something similar in AirVPN, which I consider superior in nearly every other regard: server quality, privacy philosophy and transparency.

To show how much I care about this feature, I’m even willing to donate €100 toward its development. I know it's not a large sum, but I believe others would support it too. This kind of functionality would make AirVPN even more attractive to security-conscious users on Windows.

Is there any chance this could be added in a future version of Eddie?
Even an optional advanced setting or a supported script/tool would be a great step forward.

Thank you for your continued excellent work and for your strong commitment to online privacy.

Best regards,

[drum 6]

At this point, as an alternative, perhaps it may be worth for you to look for hardware (if you use cable) solutions like:

amazon.com / Internet-CUT-OFF-Kill-Switch/dp/B00RQVFHZ4/   (remove spaces)