Omniferum 9 Posted ... --------------------------------------------------------- SECURE YOUR WINDOWS VPN CONNECTION This script will allow your Windows OS to flip between secure VPN traffic and normal traffic mode. -Secure VPN mode: Allows 'only' secure VPN traffic, this script also prevents the 'DNS leak' problem you might have read about. -Normal traffic mode: Your normal internet I wrote this for people with little know-how of computers but need security without complication. This is a simple script that you double-click to flip between 'normal internet' mode and 'Secure VPN Mode'. When in 'Secure VPN Mode' your computer completely prevents DNS leaks and will deny ALL internet traffic that is not VPN. It still allows LAN access so your servers/network's existing setup won't be affected by it. Requirements: -My windows batch script -Your VPN's .ovpn files -You need to the DNS servers of your VPN (Note: Not all VPN's provide them, but all the good ones do) -Windows Vista/7/8/10 (These are the OS' that come default installed/enabled with Windows Firewall) --------------------------------------------------------- STEP 1 - Download your .ovpn file(s) from your VPN provider STEP 2 - Place those .ovpn files into your OpenVPN config directory This folder is usually: C:\Program Files\OpenVPN\config STEP 3 - Creating the .bat file -Create an empty .txt file and open it up -Copy and paste everything in the code box below into the empty .txt file -Edit the line near the top that says SET YOUR_VPN_PRIMARY_DNS= <- Put YOUR VPN's DNS address after the equal sign (AirVPN is 10.4.0.1 - this is what I use, so I left it as the default) -Save the file -Rename the .txt file extension to .bat (e.g. FirewallFlip.txt -> FirewallFlip.bat) BATCH FILE - FIREWALL FLIPPER @ECHO OFF SETLOCAL ENABLEDELAYEDEXPANSION SETLOCAL ENABLEEXTENSIONS REM ------------------- REM MANDATORY VARIABLES REM ------------------- REM This section is required to prevent DNS leaks REM Example VPN DNS servers: AirVPN's are 10.4.0.1 and 10.5.0.1 REM THIS VARIABLE CANNOT BE BLANK AND MUST BE CHANGED TO YOUR VPN'S DNS SERVER SET YOUR_VPN_PRIMARY_DNS=10.4.0.1 REM ------------------ REM OPTIONAL VARIABLES REM ------------------ REM Put the filename of your preferred OVPN server here REM Leave blank to let this script select one at random for you REM Example filename you would enter here: AirVPN_America_UDP-443.ovpn SET YOUR_PREFERRED_OVPN= REM Enter your backup/secondary DNS here SET YOUR_VPN_SECONDARY_DNS=10.5.0.1 REM Your preferred public DNS servers (e.g. Google is 8.8.8.8 and OpenDNS is 10.5.0.1) REM These are usually superior to the ones your ISP provides you with REM If you clear these values then your ISP DNS will be used SET YOUR_PUBLIC_PRIMARY_DNS=8.8.8.8 SET YOUR_PUBLIC_SECONDARY_DNS=208.67.220.220 REM Basic error check IF NOT DEFINED YOUR_VPN_PRIMARY_DNS ( ECHO WARNING ECHO ------- ECHO You have not set the YOUR_VPN_PRIMARY_DNS variable in this script ECHO. ECHO Open %~nx0 and edit the necessary line ECHO. ECHO This script CANNOT continue until you do so ECHO. ECHO Press any key to exit... PAUSE >NUL 2>NUL GOTO :EOF ) REM Finding your OpenVPN Installation IF EXIST "C:\Program Files (x86)\OpenVPN" SET OpenVPN=C:\Program Files (x86)\OpenVPN IF EXIST "C:\Program Files\OpenVPN" SET OpenVPN=C:\Program Files\OpenVPN IF NOT DEFINED OpenVPN ( ECHO Your OpenVPN installation was not found, press any key to exit... PAUSE >NUL 2>NUL GOTO :EOF ) REM Basic error check IF NOT EXIST "%OpenVPN%\config\*.ovpn" ( ECHO ****************************************************************** ECHO This script cannot continue because it could not find the .ovpn ECHO files required in: "%OpenVPN%\config" ECHO. ECHO Please copy your .ovpn files into the above directory for this ECHO script to work. ECHO ****************************************************************** PAUSE GOTO :EOF ) SET "FIREWALL_FLIP_BACKUP_FOLDER=%OpenVPN%\FIREWALL_FLIP_BACKUP" IF NOT EXIST "%FIREWALL_FLIP_BACKUP_FOLDER%" MD "%FIREWALL_FLIP_BACKUP_FOLDER%" REM Finding the network adapter used by OpenVPN FOR /F "tokens=1-3 delims='{" %%a IN ('"%OpenVPN%\bin\openvpn.exe" --show-adapters ^| findstr {') DO ( SET VPN_ADAPTER=%%a SET VPN_ADAPTER_GUID={%%c ) REM Checking config file limit FOR /F "tokens=1 delims= " %%a IN ('DIR "%OpenVPN%\config\*.ovpn" ^| findstr File^(s^)') DO ( IF %%a GTR 50 ( ECHO You have %%a config files in your OpenVPN config folder ECHO. ECHO OpenVPN only supports a maximum of 50, so you will need to delete some ECHO. ECHO This script has made no modifications to the system ECHO Press any key to exit... PAUSE >NUL 2>NUL GOTO :EOF ) ) REM Checking if any of the addresses aren't fully resolved FOR %%a IN ("%OpenVPN%\config\*.ovpn") DO ( FOR /F "tokens=2-3 delims= " %%b IN ('findstr "remote " "%%a" ^| findstr \.') DO ( ECHO %%b | findstr [a-z] && SET OVPN_FORMATTED=NO ) ) IF "!OVPN_FORMATTED!" EQU "NO" ( ECHO ******************************************************************** ECHO Could not find IP addresses for some, or all, of your .ovpn file^(s^) ECHO. ECHO Would you like this script to automatically format your .ovpn files? ECHO. ECHO REQUIRES INTERNET CONNECTION ECHO ******************************************************************** CHOICE IF !ERRORLEVEL! EQU 1 ( FOR %%f IN ("%OpenVPN%\config\*.ovpn") DO ( SET "OVPN_BACKUP_FILE=%OpenVPN%\FIREWALL_FLIP_BACKUP\Backup_%%~nxf" REM Create backup of your .ovpn file IF NOT EXIST "!FIREWALL_FLIP_BACKUP_FOLDER!" MD "!FIREWALL_FLIP_BACKUP_FOLDER!" >NUL 2>NUL IF NOT EXIST "!OVPN_BACKUP_FILE!" ( COPY /Y "%%f" "!OVPN_BACKUP_FILE!" >NUL 2>NUL ) ELSE ( ECHO A backup of "%%f" already exists, do you wish to overwrite it? CHOICE IF !ERRORLEVEL! EQU 1 ( COPY /Y "%%f" "!OVPN_BACKUP_FILE!" >NUL 2>NUL ) ) REM Get your VPN server name and port FOR /F "tokens=2-3 delims= " %%a IN ('findstr "remote " "%%f" ^| findstr \.') DO ( SET VPN_SERVER_NAME=%%a SET VPN_SERVER_PORT=%%b ) ECHO !VPN_SERVER_NAME! | findstr [a-z] >NUL 2>NUL && ( REM Resolve the server name to an IP FOR /F "tokens=2 delims=[]" %%a IN ('ping -n 1 !VPN_SERVER_NAME! ^| findstr [') DO ( SET VPN_SERVER_IP=%%a ) REM Replace the VPN server name with its direct IP >"%%f" ( FOR /F "usebackq tokens=*" %%a IN ("!OVPN_BACKUP_FILE!") DO ( IF "%%a" EQU "remote !VPN_SERVER_NAME! !VPN_SERVER_PORT!" ( ECHO remote !VPN_SERVER_IP! !VPN_SERVER_PORT! ) ELSE ( ECHO %%a ) ) ) ) ) ) ELSE ( ECHO. ECHO This script has made no modifications to the system. ECHO Press any key to exit... PAUSE >NUL 2>NUL GOTO :EOF ) ) REM If you haven't set the variable YOUR_PREFERRED_OVPN this bit of code will select one at random from the OpenVPN config folder where all your .ovpn files are stored. IF DEFINED YOUR_PREFERRED_OVPN GOTO :CURRENT_STATE IF "!YOUR_PREFERRED_OVPN!" EQU "" ( FOR /F "tokens=1 delims= " %%a IN ('DIR "%OpenVPN%\config\*.ovpn" ^| findstr /C:" File(s)"') DO SET /A "rand=%RANDOM% %% %%a+1" FOR %%f IN ("%OpenVPN%\config\*.ovpn") DO ( SET /A num+=1 IF !num! EQU !rand! SET "YOUR_PREFERRED_OVPN=%%~nxf" ) ) :CURRENT_STATE REM Check what state the firewall is in (VPN ONLY or ALLOW ALL) CLS FOR /F "tokens=2 delims=," %%a IN ('netsh advfirewall show allprofiles firewallpolicy') DO SET state=%%a IF "%state%" EQU "BlockOutbound" GOTO :VPN_TO_ALL IF "%state%" EQU "Ausgehend blockieren" GOTO :VPN_TO_ALL IF "%state%" EQU "AllowOutbound" GOTO :ALL_TO_VPN IF "%state%" EQU "Ausgehend zulassen" GOTO :ALL_TO_VPN ECHO Your firewall state cannot be determined... ECHO. ECHO This script has made no modifications to the system. ECHO Press any key to exit... PAUSE >NUL 2>NUL GOTO :EOF :VPN_TO_ALL ECHO. ECHO -------------------------------------------------- ECHO ^|The firewall currently allows "ONLY VPN" traffic^| ECHO -------------------------------------------------- ECHO. ECHO Do you wish to allow "ALL" traffic? CHOICE IF !ERRORLEVEL! EQU 1 ( CLS ECHO ------------------------------------------------ ECHO Configuring your computer to allow "ALL" traffic ECHO ------------------------------------------------ ECHO. REM Firewall .wfw backup file IF NOT EXIST "%FIREWALL_FLIP_BACKUP_FOLDER%\PRE_VPN_FIREWALL_RULES_BACK.wfw" ( ECHO. ECHO. ECHO ******************************************************************************* ECHO The firewall rules backup this script made could not be found... ECHO. ECHO Something has happened to the file: ECHO "%FIREWALL_FLIP_BACKUP_FOLDER%\PRE_VPN_FIREWALL_RULES_BACK.wfw" ECHO ******************************************************************************* ECHO. ECHO Would you like to automatically reset your windows firewall to default rules? ECHO This is perfectly safe to do, but it will reset your firewall prompts. REM Reset windows firewall if rules backup not found CHOICE IF !ERRORLEVEL! EQU 1 ( netsh advfirewall reset >NUL 2>NUL ) ELSE ( ECHO. ECHO This script has made no modifications to the system. ECHO Press any key to exit... PAUSE >NUL 2>NUL GOTO :EOF ) ) REM Delete all current firewall rules netsh advfirewall firewall delete rule name=all >NUL 2>NUL ECHO All firewall rules cleared ECHO. REM Terminate OpenVPN taskkill /f /im openvpn* >NUL 2>NUL ECHO OpenVPN Terminated ECHO. REM Identify all NIC's and set their DNS ECHO. ECHO. ECHO Sanitizing and configuring your network adaptors ECHO ------------------------------------------------ ECHO. FOR /F "tokens=2 delims=, skip=2" %%a IN ('"wmic nic where PhysicalAdapter=TRUE get netconnectionid /format:csv"') DO ( ECHO "%%a" | findstr OpenVPN || ( SET "adapter=%%a" SET dnsprimary=!YOUR_PUBLIC_PRIMARY_DNS! SET dnssecondary=!YOUR_PUBLIC_SECONDARY_DNS! CALL :ADAPTER_CONFIG ) ) REM Import your backup firewall rules IF EXIST "%FIREWALL_FLIP_BACKUP_FOLDER%\PRE_VPN_FIREWALL_RULES_BACK.wfw" netsh advfirewall import "%FIREWALL_FLIP_BACKUP_FOLDER%\PRE_VPN_FIREWALL_RULES_BACK.wfw" >NUL 2>NUL REM Re-enable program firewall access request notifications netsh advfirewall set allprofiles settings inboundusernotification enable >NUL 2>NUL REM Register with the network properly ipconfig /registerdns >NUL 2>NUL netsh winsock reset >NUL 2>NUL ipconfig /renew >NUL 2>NUL REM Enable ALL traffic firewall rules netsh advfirewall set allprofiles firewallpolicy BlockInbound,AllowOutbound >NUL 2>NUL CLS ECHO ------------------------------------------- ECHO Your computer should now allow "ALL" traffic ECHO ------------------------------------------- GOTO :VERIFICATION ) ECHO. ECHO This script has made no modifications to the system. ECHO Press any key to exit... PAUSE >NUL 2>NUL GOTO :EOF :ALL_TO_VPN ECHO. ECHO -------------------------------------------------- ECHO ^|The firewall currently allows "ALL" traffic^| ECHO -------------------------------------------------- ECHO. ECHO Do you wish to allow "ONLY VPN" traffic? CHOICE IF !ERRORLEVEL! EQU 1 ( CLS ECHO ----------------------------------------------------- ECHO Configuring your computer to allow "ONLY VPN" traffic ECHO ----------------------------------------------------- ECHO. REM Creating VPN_SERVER_IP SET /P 1=Generating list of VPN server IP's... <NUL FOR /F "tokens=*" %%a IN ('DIR /b "%OpenVPN%\config\*.ovpn"') DO ( FOR /F "tokens=1-3 delims= " %%b IN ('findstr "remote " "%OpenVPN%\config\%%a" ^| findstr \.') DO ( IF DEFINED VPN_SERVER_IP ( IF %%c NEQ !lastip! SET VPN_SERVER_IP=!VPN_SERVER_IP!,%%c ) ELSE ( SET VPN_SERVER_IP=%%c ) SET lastip=%%c ) ) ECHO Done REM Backup all firewall rules SET /P 1=Backing up current firewall rules... <NUL netsh advfirewall export "%FIREWALL_FLIP_BACKUP_FOLDER%\PRE_VPN_FIREWALL_RULES_BACK.wfw" >NUL 2>NUL IF NOT EXIST "%FIREWALL_FLIP_BACKUP_FOLDER%\PRE_VPN_FIREWALL_RULES_BACK.wfw" ( ECHO ERROR ECHO. ECHO This script has made no modifications to the system. ECHO Press any key to exit... PAUSE >NUL 2>NUL GOTO :EOF ) ECHO Done REM Enable VPN traffic firewall rules SET /P 1=Configuring new firewall rules... <NUL netsh advfirewall set allprofiles firewallpolicy BlockInbound,BlockOutbound >NUL 2>NUL REM Delete all current firewall rules (filtering method used to retain file/network sharing functionality) netsh advfirewall firewall delete rule name=all >NUL 2>NUL REM FOR /F "tokens=2 delims=:" %%a IN ('netsh advfirewall firewall show rule name^=all ^| findstr /C:"Rule Name:" ^| findstr /v "@"') DO ( REM REM Trim all extra spaces REM FOR /F "tokens=* delims= " %%b IN ("%%a") DO SET "RULE_NAME=%%b" REM REM Filter out all firewall rules that aren't the microsoft local subnet ones REM FOR /F "tokens=* delims= " %%b IN ('@ECHO !RULE_NAME! ^| findstr /v /b /L "File and Printer Sharing" ^| findstr /v /b /L "Network Discovery"') DO netsh advfirewall firewall delete rule name="!RULE_NAME!" >NUL 2>NUL REM ) REM Create VPN only rules netsh advfirewall firewall add rule name="VPN_LOCALNETWORK_INBOUND" dir=in action=allow remoteip=LocalSubnet >NUL 2>NUL netsh advfirewall firewall add rule name="VPN_LOCALNETWORK_OUTBOUND" dir=out action=allow remoteip=LocalSubnet >NUL 2>NUL netsh advfirewall firewall add rule name="VPN_RESOLUTION_OUTBOUND" dir=out action=allow remoteip=!VPN_SERVER_IP! >NUL 2>NUL netsh advfirewall firewall add rule name="VPN_DHCP" dir=out action=allow program="%%SystemRoot%%\system32\svchost.exe" localip=0.0.0.0 localport=68 remoteip=255.255.255.255 remoteport=67 protocol=UDP >NUL 2>NUL REM Disable program requesting firewall access notifications (just in case you aren't connected to the VPN and you are asked by something and accidentally allow it) netsh advfirewall set allprofiles settings inboundusernotification disable >NUL 2>NUL ECHO Done REM Identify all NIC's and set their DNS to the secure VPN DNS ECHO. ECHO. ECHO Sanitizing and configuring your network adaptors ECHO ------------------------------------------------ ECHO. FOR /F "tokens=2 delims=, skip=2" %%a IN ('"wmic nic where PhysicalAdapter=TRUE get netconnectionid /format:csv"') DO ( ECHO "%%a" | findstr OpenVPN || ( SET "adapter=%%a" SET dnsprimary=!YOUR_PUBLIC_PRIMARY_DNS! SET dnssecondary=!YOUR_PUBLIC_SECONDARY_DNS! CALL :ADAPTER_CONFIG ) ) REM Register with the network properly ipconfig /registerdns >NUL 2>NUL netsh winsock reset >NUL 2>NUL ipconfig /renew >NUL 2>NUL CLS ECHO ------------------------------------------------ ECHO Your computer should now allow "ONLY VPN" traffic ECHO ------------------------------------------------ GOTO :VERIFICATION ) ECHO. ECHO This script has made no modifications to the system. ECHO Press any key to exit... PAUSE >NUL 2>NUL GOTO :EOF :VERIFICATION ECHO. ECHO. ECHO VERIFICATION STEPS ECHO ------------------ REM Automatic firewall verification FOR /F "tokens=2 delims=," %%a IN ('netsh advfirewall show allprofiles firewallpolicy') DO IF "%%a" EQU "%state%" ( ECHO Your firewall state did not successfully switch over, do you want to run this script again? CHOICE IF !ERRORLEVEL! EQU 1 ( GOTO :CURRENT_STATE ) ELSE ( GOTO :EOF ) ) ECHO Firewall - passed automatic verification REM Automatic DNS verification netsh interface ipv4 show dns | findstr \. | findstr !dnsprimary! >NUL 2>NUL || GOTO :VERIFICATION_FAILURE IF DEFINED dnssecondary netsh interface ipv4 show dns | findstr \. | findstr !dnssecondary! >NUL 2>NUL || GOTO :VERIFICATION_FAILURE ECHO DNS - passed automatic verification ECHO ------------------ ECHO. IF !dnsprimary! EQU !YOUR_VPN_PRIMARY_DNS! ( SET ovpnlog=!YOUR_PREFERRED_OVPN:ovpn=log! taskkill /f /im openvpn* >NUL 2>NUL DEL /F /Q "%OpenVPN%\log\!ovpnlog!" >NUL 2>NUL ECHO. SET /P 1=Connecting to your VPN and waiting for IP to be assigned: <NUL START "" "%OpenVPN%\bin\openvpn-gui.exe" --connect !YOUR_PREFERRED_OVPN! >NUL 2>NUL :VPN_IP_LOOP findstr "CONNECTED,SUCCESS" "%OpenVPN%\log\!ovpnlog!" >NUL 2>NUL || GOTO :VPN_IP_LOOP FOR /F "tokens=4 delims=," %%a IN ('findstr "CONNECTED,SUCCESS" "%OpenVPN%\log\!ovpnlog!"') DO ( SET VPN_ASSIGNED_IP=%%a ) ECHO !VPN_ASSIGNED_IP! ECHO. SET /P 1=Granting your assigned VPN IP access to the internet... <NUL FOR /F "tokens=2-4 delims=,." %%a IN ('wmic nicconfig get DHCPServer^,SettingID /format:csv ^| findstr "!VPN_ADAPTER_GUID!"') DO ( SET VPN_IP_POOL_RANGE=%%a.%%b.0.0-%%a.%%b.255.254 ) netsh advfirewall firewall add rule name="VPN_INTERNET_OUTBOUND" dir=out action=allow localip=!VPN_IP_POOL_RANGE! >NUL 2>NUL ECHO Done ECHO. ECHO. ECHO ------------------------------------------------------------------- ECHO ^|Visit www.ipleak.net to verify that you are connected to your VPN^| ECHO ------------------------------------------------------------------- ECHO. PAUSE GOTO :EOF ) ELSE ( PAUSE ) GOTO :EOF :VERIFICATION_FAILURE ECHO There was an error setting your DNS, press any key to see your current DNS servers... PAUSE >NUL 2>NUL netsh interface ipv4 show dns ECHO ------------------------------------------------------------ ECHO The DNS listed should be: !dnsprimary! -OR- !dnssecondary! ECHO ------------------------------------------------------------ ECHO. ECHO IF THE DNS SERVERS DO NOT MATCH WHAT THEY SHOULD BE, CHANGE THEM MANUALLY ECHO IF YOU DON'T DO THIS: ECHO --------------------- ECHO YOUR VPN CONNECTION WILL NOT BE SECURE ECHO -AND/OR- ECHO YOUR REGULAR INTERNET MODE WILL NOT WORK ECHO. PAUSE GOTO :EOF :ADAPTER_CONFIG REM This section resets and configures your network adapters as necessary SET /P 1=%adapter%... <NUL ipconfig /release >NUL 2>NUL ipconfig /flushdns >NUL 2>NUL netsh interface ipv4 set dns "%adapter%" static %dnsprimary% primary validate=no >NUL 2>NUL IF DEFINED dnssecondary netsh interface ipv4 add dns "%adapter%" !dnssecondary! index=2 validate=no >NUL 2>NUL ECHO Done STEP 4 Now you just double click the .bat file whenever you want to switch between VPN secure or normal internet mode. If double-clicking doesn't start the script you can right click it and select 'open'. SPECIAL NOTES -This script creates a backup of your original .ovpn files under the folder FIREWALL_FLIP_BACKUP in your OpenVPN Installation directory. This script resolves the IP's of the hostnames in the VPN files so if you feel there is something wrong with this script you can still just go back to your originals. -The changes made by this script are permanent, until you run it again. This means that reboots or any sort of system hiccup will not affect it. WARNING If you start fiddling with your network adapters or windows firewall yourself you will most likely compromise what this script has set out to do. Only do so if you know what you're doing. 5 resettler, shaunography, HocusPocus and 2 others reacted to this Quote Share this post Link to post
Omniferum 9 Posted ... If a moderator thinks this is good enough it would be nice to see it in the HOW-TO section of the forum. 1 dbuero reacted to this Quote Share this post Link to post
Staff 9972 Posted ... If a moderator thinks this is good enough it would be nice to see it in the HOW-TO section of the forum. Hello, thank you for your efforts and thank you for sharing! It looks good and very comfortable, some of us will test it and after that if it's all right we'll move it to the how-to. Some specifications for the readers: in order to work properly, the script needs the Configuration Generator set to "Resolved hosts" (*) so that in the .ovpn files "remote" line(s) there will always be an IP address, not a name (would the Windows firewall work properly with domain names instead of IP addresses?). It's important to specify because the majority of Windows users run the Air client, so they probably have never used the Configuration Generator. (*) anyway "Resolved hosts" is forced if the Configuration Generator is set in Windows mode - problems may arise only if a Windows user runs the Configuration Generator in some other OS mode. EDIT: alternatively we might provide something like "fake.ovpn", a simple text file with all entry IP addresses preceded by the "remote" keyword (if the script scans all the "remote" lines, i.e. if it does not stop at the first found "remote" line). Kind regards Quote Share this post Link to post
Omniferum 9 Posted ... The Windows Firewall only gives IP as an option. However with a simple tweak to the batch I can just make it ping domain names, get the resolved IP address and use that to populate the vpnip variable instead. Assuming your server names stay constant, I know that some get taken down/replaced. I only did this in batch as I know 'every' windows platform used today supports it. If I knew people were using Windows 7 minimum I would've just done it in powershell. Quote Share this post Link to post
siddin 0 Posted ... This is awesome and does exactly what I've been looking for. Without the vpn connection I can't connect to the internet using any programs, however once the vpn is established I can use the internet without a problem. The only thing with the first batch file is that i've had to go through and adjust the Remote IP to my vpn ip even those I do use openvpn. Not sure if it matters as it still does what I was after even without that. Quote Share this post Link to post
Guest Chaf Posted ... Isn't there a missing rule for the firewall blocking UDP port 53 for DNS leaks ? Quote Share this post Link to post
Omniferum 9 Posted ... This is awesome and does exactly what I've been looking for. Without the vpn connection I can't connect to the internet using any programs, however once the vpn is established I can use the internet without a problem. The only thing with the first batch file is that i've had to go through and adjust the Remote IP to my vpn ip even those I do use openvpn. Not sure if it matters as it still does what I was after even without that. The remoteip variable is really only populated if you have the .ovpn files in the same directory. Manually adding them in with commas like:123.123.0.123,123.51.123.16,123.2.13.1will make it work fine Isn't there a missing rule for the firewall blocking UDP port 53 for DNS leaks ? There is no real way that DNS leaks could occur. The firewall rules above prevents your adapters from communicating with the internet in any fashion except with the OpenVPN server's (to establish a connection with them)Even then your local adapters DNS's are set to your VPN adapters, so it is routed through them. DNS leaks are more for when your DNS is set to static and gets confused because your adapter has access to BOTH the AirVPN and your regular ISP's dns servers. The rules above limit that to only one, your OpenVPN providers. Quote Share this post Link to post
andromeda 1 Posted ... Hi Omniferum, Could you make a little "VPN flipper" for people who use Comodo Personal Firewall instead of Windows Firewall? And while you are at it, could you make one for those who use Linux? I have also made a little 'VPN flipper', so you can switch your firewall to operate normally or in VPN secure mode (DNS and all that). For this to work you need to go to your network connections and right click the TAP-Windows Adapter v9, select 'Rename' and give it the name VPN. Quote Share this post Link to post
Denis777 0 Posted ... So after i change txt name to bat. what should i do with that file where do i paste it? and where can i find .ovpn file ? please help Edit: I think i figured out what to do with .bat files now i am having another issue when i use vpn flipper to allow connection only thru vpn ... i lose connection thru vpn as well when i flip allow all traffic everything works again what could be the problem ? Quote Share this post Link to post
Omniferum 9 Posted ... So after i change txt name to bat. what should i do with that file where do i paste it? and where can i find .ovpn file ? please help Edit: I think i figured out what to do with .bat files now i am having another issue when i use vpn flipper to allow connection only thru vpn ... i lose connection thru vpn as well when i flip allow all traffic everything works again what could be the problem ? You need to make a directory that has all your .ovpn files (which you can get through the AirVPN "client area" -> "config generator" page) and put the batch file in there. Then just run the batch file, it will add all the required rules. Hi Omniferum, Could you make a little "VPN flipper" for people who use Comodo Personal Firewall instead of Windows Firewall? And while you are at it, could you make one for those who use Linux? I have also made a little 'VPN flipper', so you can switch your firewall to operate normally or in VPN secure mode (DNS and all that). For this to work you need to go to your network connections and right click the TAP-Windows Adapter v9, select 'Rename' and give it the name VPN. As for making it work for Comodo I don't run it (nor do I really want to) so I don't know what command line options it has. Essentially all the VPN flipper does is toggle between block/allow outbound traffic and change some Network Adapter DNS settings to prevent DNS leaks. So all someone would have to do is find the Comodo command line option to toggle the 'VPN zones'. If memory serves me correctly Comodo uses the term 'zones'. Those who use Linux could easily find some bash script to do the same job, I would be surprised if nobody has done it. However Linux doesn't really suffer from DNS leaks normally and I do know there are some scripts that do the same 'toggle VPN only' already. I believe there is one on this forum somewhere. Quote Share this post Link to post
Omniferum 9 Posted ... Just a nudge in the hopes that the moderators see the updated script and update the How-To section with it Quote Share this post Link to post
AirSpider 1 Posted ... Hi Guys, What info do I need to add to this section: set apikey=<fillmeinwithyourinformation!>::Valid options are: disconnect,userinfoset apiservice=<fillmeinwithyourselection!> Thanks! Quote Share this post Link to post
HocusPocus 1 Posted ... Hi Omniferum, Thank you for your fix for Windows 7. I'm new to using a VPN service. I've installed OpenVPN using the client and not the Config Generator Page! Where would I place the .bat files for both the Firewall rule and the Flipper Switch? You need to make a directory that has all your .ovpn files (which you can get through the AirVPN "client area" -> "config generator" page) and put the batch file in there. Then just run the batch file, it will add all the required rules. With thanks, Quote Share this post Link to post
Omniferum 9 Posted ... Hi Omniferum, Thank you for your fix for Windows 7. I'm new to using a VPN service. I've installed OpenVPN using the client and not the Config Generator Page! Where would I place the .bat files for both the Firewall rule and the Flipper Switch? You need to make a directory that has all your .ovpn files (which you can get through the AirVPN "client area" -> "config generator" page) and put the batch file in there. Then just run the batch file, it will add all the required rules. With thanks, As per instructing in the main post.The .ovpn files need to be generated in the Config Generator section of your AirVPN Client Area (this is an area on his website, not a program) with the following boxes checked:Advanced Mode (This has to be selected first so the next two can be visible)Resolved hosts in .ovpn fileAll servers for area region Hi Guys, What info do I need to add to this section: set apikey=<fillmeinwithyourinformation!>::Valid options are: disconnect,userinfoset apiservice=<fillmeinwithyourselection!> Thanks! Technically you do not HAVE to fill those things in. It is just more to force a disconnect because my OpenVPN doesn't always smoothly disconnect. However again you can just go to Client Area -> Settings and you can get the API key from there to put into the set apikey= part. The apiservice already has the two possible options above, disconnect is the one you want. userinfo is just there for debug shit at times for me in other scripts. Quote Share this post Link to post
HocusPocus 1 Posted ... Hello Omniferum, Thanks so much for your additional explanation. Advanced Mode (This has to be selected first so the next two can be visible)Resolved hosts in .ovpn fileAll servers for area region Add this information above (see example below). What modes do I select in order generate? Still a little confused about the directory that you mentioned below. 'You need to make a directory that has all your .ovpn files (which you can get through the AirVPN "client area" -> "config generator" page) and put the batch file in there. Then just run the batch file, it will add all the required rules. Thanks, Quote Share this post Link to post
Omniferum 9 Posted ... The batch files and .ovpn files need to be in the same directory. As in they have to be able to see them all in the same place, like if you opened up C:\Openvpn in your windows explorer you would need to see all the ovpn and batch files there. Then run the batch file. In your screenshot you need to check the All servers for area region If you want port recommendations I would just say UDP & TCP, Ports 80 and 443 Quote Share this post Link to post
HocusPocus 1 Posted ... Hi Omniferum, Thanks so much for your patience and help. I've checked off the top four boxes for Direct Protocol UDP 443 and TCP 443; and, Direct Protocol UPD 80 and TCP 80. Yes, I forgot to add 'all servers in area region'. Done! Many many thanks for your help, Quote Share this post Link to post
Zhriver 1 Posted ... I'm struggling to get this to work. I've read through the thread multiple times and still can't get it working. Still able to access the web without the vpn active. I've created the 2 bat files.I've put them in a folder with the files .ovpn I crossed off the Resolved hosts in .ovpn file, All servers for area region I've run the bat to create the rules for the firewall. The rules show up in the firewall. Renamed the tap connection to VPN. Tried running the flipper to see if that made a difference, it doesn't Quote Share this post Link to post
HocusPocus 1 Posted ... Hi Zhriver, Review all of the steps as follows (with thanks to Omniferum and Staff): 1. Copy Omniferum's two .bats files (see above). Also, rename the TAP-Windows Adapter v9. NOTE: I have also made a little 'VPN flipper' (EDIT: NEW, IMPROVED 'flipper' 31-Aug-13), so you can switch your firewall to operate normally or in VPN secure mode (DNS and all that). For this to work you need to go to your network connections and right click the TAP-Windows Adapter v9, select 'Rename' and give it the name VPN. 2. Create and add an API key field as per staff: The VPN flipper is a script file as well, so you can name it for example "vpnflipper.bat". It will need that you use our API (see the FAQ for more information). Its purpose is to toggle the firewall configuration to "VPN anti-leak mode" and "normal mode". Log in the web site with your account and click "Client Area". Select "Settings" from the left tabs. In the "API Key" field, click to open the menu and select "Enable and generate new key". Click "Save Settings". Now the page will reload and in the API Key field your key will appear (a long string with letters and digits). Select it with the mouse and copy it. In your VPN flipper script, find the line: set apikey=<fillmeinwithyourinformation!> delete <fillmewithyourinformation!> and past at its place the API key, just after the '=' symbol. Then, find the line: set apiservice=<fillmeinwithyourselection!> and replace <fillmewithyourselection!> with: disconnect just after the '=' symbol. All of the above is optional, the script will work even without setting apikey and apiservice.Create an .ovpn files in the Config Generator section of your AirVPN Client Area Choose: Your type of Operating System2. Selection of servers3. Advanced Mode - Tick off the following- Resolved hosts in .ovpn file-All servers for area region- If you want port recommendations I would just say UDP & TCP, Ports 80 and 443Generate Add these .ovpn generated files with the two .bats files in OpenVPN > configRun the .bat files Quote Share this post Link to post
Omniferum 9 Posted ... I should perhaps point out to everyone that renaming the network adapter isn't actually necessary anymore. I just didn't want to research at the time if fiddling with the DNS on adapters other than your man link would do something funny. The scripts as they stand now do not require you to rename any network adapter as it will lock down the DNS' on ALL your adapters for secure usage. So even if before you didn't do that step, doesn't make a difference. I'm struggling to get this to work. I've read through the thread multiple times and still can't get it working. Still able to access the web without the vpn active. I've created the 2 bat files.I've put them in a folder with the files .ovpn I crossed off the Resolved hosts in .ovpn file, All servers for area region I've run the bat to create the rules for the firewall. The rules show up in the firewall. Renamed the tap connection to VPN. Tried running the flipper to see if that made a difference, it doesn't For reference sake there is the possibility that the copy/paste isn't going correctly for you. Your browser might be wrapping text so what you copy/paste isn't the EXACT code as posted in my post. That is somewhat the only thing I can think of. What OS are you running? Windows 7 basic might not be able to do stuff like this. Just throwing ideas out. Quote Share this post Link to post
HocusPocus 1 Posted ... Hi Omniferum, I've installed everything as per above. Word wrap is not on and I'm running Windows 7 Home Premium. I have assigned a specific port for utorrent (Client Area) and I'm connected to the AirVPN. Received when utorrent is running: DANGER! Reachable on real IP over the external port 61014, tcp protocol. Not connected to utorrent: Not reachable on server IP over the external port 30823, tcp protocol. Error : 110 - Connection timed out .bat files in text format for Flipper Switch. When replacing the set apikey=<fillmeinwithyourinformation!> does the ! mark stay? @ECHO OFFSETLOCAL ENABLEDELAYEDEXPANSIONSETLOCAL ENABLEEXTENSIONS ::The powershell commands in this script are Powershell 2.0, which is what Windows 7 comes installed with by default. They will work for Windows 8 as well. set vpndnsprimary=10.4.0.1set vpndnssecondary=10.5.0.1 ::Put the filename of your OVPN file here. The filename can have spacesset yourpreferredovpn=<fillmeinwithyourinformation!> set apikey=<fillmeinwithyourinformation!>::Valid options are: disconnect,userinfoset apiservice=<fillmeinwithyourselection!> ::Check what state the firewall is in (VPN ONLY or ALLOW ALL)for /f "tokens=3,4" %%a in ('netsh advfirewall show allprofiles firewallpolicy ^| findstr ^,') do set state=%%aif "%state%" EQU "BlockInbound,BlockOutbound" goto :VPNif "%state%" EQU "BlockInbound,AllowOutbound" goto :ALL :VPNCHOICE /m "The firewall currently allows ONLY VPN traffic, do you wish to allow ALL traffic?"if %errorlevel% EQU 1 (::This powershell command allows you to send an API requestPowershell.exe -NoProfile -Command ^(New-Object System.Net.WebClient^).DownloadString^('https://airvpn.org/api/?key^=!apikey!^&service^=!apiservice!^&format^=text'^)taskkill /f /im openvpn*netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound::Identify all NIC's and set their DNS to DHCPfor /f "tokens=*" %%a in ('Powershell.exe -NoProfile -Command "Get-WmiObject Win32_NetworkAdapter | %%{$_.NetConnectionID}"') do (ipconfig /flushdns>NUL 2>NULnetsh interface ip set dns "%%a" dhcp>NUL 2>NULipconfig /flushdns>NUL 2>NUL))goto :EOF :ALLCHOICE /m "The firewall currently allows ALL traffic, do you wish to allow ONLY VPN traffic?"if %errorlevel% EQU 1 (netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound::Identify all NIC's and set their DNS to the secure VPN DNSfor /f "tokens=*" %%a in ('Powershell.exe -NoProfile -Command "Get-WmiObject Win32_NetworkAdapter | %%{$_.NetConnectionID}"') do (ipconfig /flushdns>NUL 2>NULnetsh interface ip set dns "%%a" static %vpndnsprimary% primary no>NUL 2>NULipconfig /flushdns>NUL 2>NULnetsh interface ip add dns "%%a" %vpndnssecondary% index=2 no>NUL 2>NULipconfig /flushdns>NUL 2>NUL)start "" "C:\Program Files (x86)\OpenVPN\bin\openvpn-gui.exe" --connect "!yourpreferredovpn!">NUL 2>NUL) Any suggestions, hp Quote Share this post Link to post
Omniferum 9 Posted ... Just a bump so everyone who has had any issues with this prior can try the new scripts to aid in troubleshooting. Quote Share this post Link to post
tunica 0 Posted ... My bat file keeps erroring out that it can't find the ovpn files but they are there in the same folder as the bat file. Thoughts anyone? Directory of C:\1airvpn 09/21/2013 01:21 PM <DIR> .09/21/2013 01:21 PM <DIR> ..09/21/2013 01:12 PM 41,607 AirVPN.zip09/21/2013 08:12 PM 9,231 AirVPN_America_TCP-443.ovpn09/21/2013 08:12 PM 9,219 AirVPN_America_TCP-80.ovpn09/21/2013 08:12 PM 9,255 AirVPN_America_UDP-443.ovpn09/21/2013 08:12 PM 9,243 AirVPN_America_UDP-80.ovpn09/21/2013 08:12 PM 9,646 AirVPN_Europe_TCP-443.ovpn09/21/2013 08:12 PM 9,618 AirVPN_Europe_TCP-80.ovpn09/21/2013 08:12 PM 9,670 AirVPN_Europe_UDP-443.ovpn09/21/2013 08:12 PM 9,642 AirVPN_Europe_UDP-80.ovpn09/21/2013 12:44 PM 2,574 create firewall rules.bat09/21/2013 01:21 PM 0 vpn.txt09/21/2013 12:40 PM 2,364 vpnflipper.bat09/02/2013 06:00 PM 9,183,854 vpn_firewall.pdf 13 File(s) 9,305,923 bytes 2 Dir(s) 60,800,172,032 bytes free Quote Share this post Link to post
Omniferum 9 Posted ... I assume the 'IF EXIST *.ovpn' part is buggering up for you. Works fine on my computer though. If you just delete:IF NOT EXIST *.ovpn (ECHO ******************************************************************ECHO This script cannot continue because it could not find the .ovpnECHO files required in the same directory as this script.ECHO.ECHO For reference the directory that this script is in is:ECHO "%~dp0"ECHO ******************************************************************PAUSEGOTO :EOF) out of the batch file it should continue normally 1 tunica reacted to this Quote Share this post Link to post
tunica 0 Posted ... I commented out those lines and then the bat file errored out not finding IP address in my ovpn files. They are there I looked in notepad. Anyway, I think I see what the bat file is trying to accomplish which is entering the airvpn ip addresses as allowed remote ip addresses in outbound connections while also allowing outbound localip and local subnet addresses. I have entered some of the airvpn ips to test manually and that works ok. I don't see any rules for inbound connections in the bat file and this is where I get hung up when using my bittorrent client. Airvpn's port forwarding fails the test for the ports I have setup. My guess is that I need to setup inbound rules similar to the outbound ones but am not sure what inbound IP addresses I should be allowing. Same as those in the ovpn files or ? Right now I have a rule that allows 10.4.0.0-10.9.255.255 and the port forwarding test works EXCEPT that when the vpn connection drops (for whatever reason), my bittorrent client continues to function (although it seem to be at lower speeds). My goal is that this shouldn't function at all if there is no vpn connection. I use utorrent, should I be using the net.bind.ip or something similar? I will try testing some of these things on my own but haven't had a chance to so far. Thanks for the help. Quote Share this post Link to post