ANSWERED Blocking non-VPN traffic with Windows Firewall

[Omniferum 9]

Chances are you already have a utorrent 'in-bound allow' rule in your firewall. Delete that then try again.

[tunica 0]

That would seem to be a good idea except that I don't have such a rule (all utorrent rules are disabled).  I have come up with a partial solution.  Windows firewall was set to allow all outbound connections by default.  I changed this to block.  So with your rules things work as expected except for one thing.  When I disconnect the vpn all internet access stops as desired but when I try to reconnect the airvpn client fails to connect to a remote server.  So it seems that I am missing an allow rule in my outbound connections.  Am not sure what the client is doing that is being blocked by default.  I am allowing 10.4.0.0-10.9.255.255 and the airvpn ips.  Default outbound rules already allow network connections and such.    Any idea what I might be missing?  Thanks!

[Staff 9968]

That would seem to be a good idea except that I don't have such a rule (all utorrent rules are disabled).  I have come up with a partial solution.  Windows firewall was set to allow all outbound connections by default.  I changed this to block.  So with your rules things work as expected except for one thing.  When I disconnect the vpn all internet access stops as desired but when I try to reconnect the airvpn client fails to connect to a remote server.  So it seems that I am missing an allow rule in my outbound connections.  Am not sure what the client is doing that is being blocked by default.  I am allowing 10.4.0.0-10.9.255.255 and the airvpn ips.  Default outbound rules already allow network connections and such.    Any idea what I might be missing?  Thanks!

 

Hello!

 

Try to allow airvpn.org IP address if you run the Air client. The Air client connects to airvpn.org in order to download the servers list etc. Also edit your hosts file in order to allow airvpn.org resolution with no need of a DNS query (which would be dropped by the firewall).

 

Kind regards

[tunica 0]

That did the trick.  Thank you.

[Omniferum 9]

That would seem to be a good idea except that I don't have such a rule (all utorrent rules are disabled).  I have come up with a partial solution.  Windows firewall was set to allow all outbound connections by default.  I changed this to block.  So with your rules things work as expected except for one thing.  When I disconnect the vpn all internet access stops as desired but when I try to reconnect the airvpn client fails to connect to a remote server.  So it seems that I am missing an allow rule in my outbound connections.  Am not sure what the client is doing that is being blocked by default.  I am allowing 10.4.0.0-10.9.255.255 and the airvpn ips.  Default outbound rules already allow network connections and such.    Any idea what I might be missing?  Thanks!

 

This seems more like an error in the rule creation rather than the firewall flipper. If you just want to manually check the rules or try the rules being created again with the batch in the original post you may get some leeway.

 

VPN_RESOLUTION_OUTBOUND - The remote ip addresses listed here should be all the airvpn servers

ALL_LOCAL_OUTBOUND - The remote ip should just be local subnet and only applies to your 'internal' network

VPN_INTERNET_OUTBOUND - The local ip should be your adapter range (i.e. 10.4.0.0 - 10.9.255.255)

 

Beyond that I would not know, I cannot replicate your problem as for me the rules block everything in entirety. If you want a methodology overview all the rules do is:

Always allow your local network traffic on everything

Only allow your computer to connect to airvpn server's

Only allow your VPN adapter to connect to 'everything'

 

There are no in-bound rules because functionally I found it makes no real difference. Your firewall by default will block unauthorized or suspicious inbound requests, and even if you are sent something you did not ask for your computer will not respond to it unless it is on the VPN. Blocking one pipe in the in/out flow of information effectively stops 'all'.

 

For example on the rule someone could 'send' you a ping, and you would receive it. But because you are not allowing anything 'out' that someone could not see if there was a response from that ping.

[tunica 0]

I could not get the bat file to create the outbound rules.  For some unknown reason it wasn't seeing the ovpn files.  I did create them manually based on your batch file (haven't tried the flipper yet) and got it to work once I changed the firewall's outbound default behavior to "block" rather than "allow".  I also added the airvpn.org ip to the VPN_RESOLUTION_OUTBOUND rule.  I use the airvpn client and was running into problems connecting until I did that as well.  Thanks for the tools.

[Omniferum 9]

Ah. I have no experience with the AirVPN client. I doubt it is doing anything different though. So, unsure I am.

[tunica 0]

One more note.  I do have a vpn inbound allow rule for the 10.4.0.0 - 10.9.255.255 range.  Without it my airvpn forwarded ports will not do their thing (i.e. torrent client and remote desktop connection).

[Ace3342 0]

Guys, 

 

I have a question here.

Usually I work from Home, so no problem to set-up windows firewall as described above. But what is going to happen when, for example, I will be connecting from the Office? In that case I cannot use AirVPN because the connection is not given by an ISP but by the company I work for. My concern is that the connection might not work because of the new "airVpn" firewall settings.

 

This is maybe a stupid question, sorry but I am not an expert.

 

Thanks

[Omniferum 9]

Really depends on what sort of company you work for. If they use enterprise level stuff you wouldn't even be allowed to install OpenVPN or anything as such. If the network admin actually does his job YOU wouldn't be allowed to affect firewall settings.

 

Unless you are referring to a laptop that you take to/from work that you DO have the rights over. In that situation it would be no different than if you were connecting at home (saving any special gateways etc.) The internet provided via company intranet just needs to be authenticated like a public wi-fi hotspot (except usually it is all domain verification stuff that you don't have to do anything about)

 

So you can connect via the VPN or normally if you like. I would recommend port 443 as enterprise stuff should allow that by default. Port 80 if you find nothing is getting through.

[Ace3342 0]

Sorry for this basic question: where should I copy the second block of text of your tutorial (the VPN flipper)?

 

How to check which ports are used?

 

Thanks.

[Ace3342 0]

That was really stupid, forget my question about where to put the second batch file.

 

But now I have another (hopefully less stupid) question: how to operate the Flipper to switch from VPN Only to "normal" mode? In Windows Firewall?

 

Thanks again.

[Omniferum 9]

You just run it again. The script detects what state the firewall is in and offers to 'flip' it the other way.

[Ace3342 0]

Thanks much!!

 

I am gonna try it in the next few days.

In case of messing up things with my "corporate" settings, is there any way to revert back all Windows Firewall settings to the status before?

[Omniferum 9]

Just flipping it to 'off' will do perfectly fine. Otherwise you can just look at the rule generator and see that there is a command there for rule deletion, copy and paste those lines into another batch or into the command line adn run it. It will remove all the rules created. You will still need to 'flip' the firewall to its 'ALL traffic' state.

[josper 0]

Hi

I'm currently testing Airvpn and since I wanted to use the Windows Firewall I found this very interesting topic (https://airvpn.org/t...s-to-omniferum/) where omniferum build two .bat files in order to manage the Windows Firewall properly.
Sadly my Windows 8.1 is french version so please : could somebody provide the effective french "translation" for the two batch files ?
Thanks

 

(for moderator only : this post is same as the one I did before out of this thread : https://airvpn.org/topic/11143-windows-firewall-config-bat-files-in-french/?hl=%2Bfirewall+%2Bfrench     / could you please delete this old one which remains answer-less...)

 

best regards

[Guest Chaf]

For non english windows firewall rules creation...wouldn't it be interesting to provide a *.wfw file (Exported firewall strategy) ?

 

I have a working setup using:

 

1.pre.bat script 

• If any active DHCP adapters exist, switches to static.

2.up.bat script

• Clears the DNS servers for all active adapters except the TAP32 adapter.
• Loads a Firewall strategy based on Omniferum provided rules but tweaked a bit  further.
• Clear the DNS servers for all active adapters except the TAP32 adapter.
• Loads http://ipleak.net webpage to confirm IP & no DNS leaks.

3.down.bat script

• Reconfigure adapters back to their original configuration
• Resets Windows Firewall strategy to default configuration

 

It works like a charm and would be happy to provide the files as soon as I am sure about a few remaining firewall rules to tweak & adding ALL the AirVPN entry servers IP.

[josper 0]

Hi

 

@Denver : seems to be a good bunch of ideas !

i'll follow its development

thanks

 

regards

[Mike White 0]

Is there any chance to get solutions for other major language versions of Windows 7? I'm using a German version and it is a real pain to find anything that secures the system when it disconnects. Commodo is ... let's say cryptic.

 

It was announced last summer that the team would be working on an easily accessible solution. Sadly, there don't seem to be any news on it. This seriously limits the security and value of a VPN for me.

[Guest Chaf]

I have a working solution like said in my previous post and was about to release it untill I noticed that since the upgrade to Openvpn 2.3.3 PRE, UP, DOWN scripts don't work anymore...

 

I can forward you an archive that you can try and let me know if it works for you also but the scripts would need to be started manually untill a set things up with the new openvpn version...

[Malakai 0]

Hi

 

Please may I ask for assistance in getting Omniferum .bat files to work?

 

What I have done:

 

1. Config Generator > Select Windows > Select United Kingdom.

 

2. Select Advanced Mode > Resolved Hosts & All Servers.

 

3. Save generated files to /OpenVPN/Config.

 

4. Run .bat file but receive the following error - Your .ovpn file does not contain an IP address, it most likely has
    a DNS address (e.g. www.google.com - when it should be: 1.1.1.1)

 

5. It does generate a new file called rawvpnip.txt, which contains a list of IP Addresses.

 

 

Please advise what this errors means and how I can fix it?

 

 

Thanks

Malakai

[wombat 2]

Thanks for sharing this script. However I'm having the same problem as Malakai. The .opvn files are not recognised by the script.

 

Commenting out the opvn check portion of the script results in the same error. The .opvn file does not contain an IP address.

 

I'm using Windows 7 and running the bat file as admin. Has anyone else managed to get this to work?

[Omniferum 9]

Ah, my topic has been revived it would seem.

 

There is a rather basic error in the main post sorry, but that was a formatting error on my part. If you use the updated post you should find no further problems regarding IP error messages. For reference I just did not escape the curved brackets on the version I uploaded.

 

As for the language thing I am taking a stab at it now. It would help if anyone could provide me with the specific language string that your firewall rules use.

[Omniferum 9]

Localizations

 

OK, I downloaded/installed MSDN ISO's for the french/german versions into a VM (an absolute pain in the ass to install these things with a keyboard layout that isn't my actual keyboard).

 

And on the base installation other than enabling administrator mode I did not actually need to do anything for the firewall rules to be implemented. Basically: VPNFirewallRules.bat works as intended, german or french. So I assume everyone's concern is with the FirewallFlip.bat (where you can toggle it on/off)

 

Found the problem with the firewall flip. It has been rectified. Please use the updated scripts in the main post, it should now work regardless of language as all netsh commands are in english (and corresponding registry entries.)

 

The only real thing people should keep in mind is that you need administrator mode for this. I have included a little .bat that will enable admin mode for you as well (it works for french/german, and should for other languages too)

 

Confirmation from people would be welcome

[Omniferum 9]

Would appreciate it if an admin would update the scripts in the "How-To" section so everyone can have the fixed/language independent versions of the script. Just posting this to bring it to their attention.