Jump to content
Not connected, Your IP: 3.138.67.56
Omniferum

ANSWERED Blocking non-VPN traffic with Windows Firewall

Recommended Posts

Guest Chaf

Hi all,

 

Attached to this post a zip of my Openvpn config folder (without my Airvpn connection files of course!)

 

What it does:

- Applies firewall rules based on those provided by Omniferum

- Protects against leaks based on dnsleaktest advices

- Backs up and restores original firewall rules before/after openvpn connection/disconnection

- On Openvpn connection, starts ipleak.net webpage to confirm connection and no dns leaks.

 

Only 2 things to do:

- Add your europe config files into config folder in openvpn install directory

- In windows network connections, rename devices wifi->wlan, ethernet->lan

 

This is basic but functional and needs to be adapted to your config files and usage but i'd be happy to help if needed.

 

http://www.sendspace.com/file/oy0b26

Share this post


Link to post

I can't speak for denver's method but technically mine should work with the airvpn client. I have never used their client but I believe it is based on OpenVPN.

 

The only line that is actually relevant to any 'specific' program is: netsh advfirewall firewall add rule name="VPN_INTERNET_OUTBOUND" dir=out action=allow localip=10.4.0.0-10.9.255.255

 

That line (specifically the ip range in the localip=) points your firewall to only accept internet on adapters within that range, which is the range on which OpenVPN adapters function. The airvpn-client should use the same range.

 

The firewall flipper will still work as well for the record, just none of the openvpn functionality (terminating it/auto-connecting to stuff)

Share this post


Link to post

Some questions:

 

- It's possible to add some rules to block also the incoming connections?

- In my Win7 there are preinstalled rules, for example called "Windows Media Player (TCP-Out)". This rules take precedence over your general "BlockOutbound"... there are some solution, or people need to disable them?

 

Thanks, great guide!

Share this post


Link to post

Hi,
I’m using Win 7 Home Premium (German Edition). When I try running the ‘VPNFirewallRules.bat’ it can’t find the .ovpn files. I tried to remove the IF NOT EXIST *.ovpn part of the script, but then it crashes.
Can anyone help me with a step-by-step description how to modify the firewall manually, so that I can use the ‘FirewallFlip.bat’ ? Your help would be much appreciated.

Share this post


Link to post

Hi everyone,

I seem to have a weird issue here. I have set the two bat files to autostart on system startup and the second bat files keeps triggering with same messsage after I have powered on my machine.

Usually it would be prompting at the "The firewall currently allows "ONLY" VPN traffic, do you wish to allow "ALL" traffic?", but now after powering on and repeated reruns of the 2nd bat file it always prompts with this message "The firewall currently allows "ALL" traffic, do you wish to allow "ONLY" VPN traffic?"

I do not know why this is happening and now I cannot be certain that on a reboot my machine will be allowing DNS leaks. Please advise and any support is appreciated as always.

Cheers,

hakrins

Share this post


Link to post

Hi all,

 

i found a couple of problems with the 2 batch files posted at the start of the fred.

 

1. the stupid windows locale crap messes with the return messages from the firewall, e.g. in the german windows instead of returning "AllowOutbound" it returns "Ausgehend zulassen". 

fix: since there is no problem with adding additional if cases in the script thats exactly what i did 

 

2. The script only uses the 32 bit OpenVpn (by hard coded path), which is sad in 2015, so I fixed that for me, (who has less than 4g of Ram today?)

 

3. the ipconfig /release command messed everything up for me (both ways, while activating and deactivating) so i commented it out, I dont see the point anyways if it stays set to dhcp

 

 

Now it seems to work fine and I'm very happy to have this forum and the basic setup provided by you guys, esp. OP. Thank you!

 

Here my scripts:

 

The "execute me once in the openvpnConfigFolder" setup script:

@ECHO OFF
SETLOCAL ENABLEDELAYEDEXPANSION
SETLOCAL ENABLEEXTENSIONS
 
::Everything here is designed to auto-extract and populate the variable "vpnip", which is used in one of the 3 commands at the bottom of this script. This script should work regardless of what language your OS is.
 
IF EXIST vpnip.txt DEL vpnip.txt
IF EXIST rawvpnip.txt DEL rawvpnip.txt
 
IF NOT EXIST *.ovpn (
ECHO ******************************************************************
ECHO This script cannot continue because it could not find the .ovpn
ECHO files required in the same directory as this script.
ECHO.
ECHO For reference the directory that this script is in is:
ECHO "%~dp0"
ECHO ******************************************************************
PAUSE
GOTO :EOF
)
 
FOR /F "tokens=*" %%a IN ('DIR /b *.ovpn') DO (
FOR /F "tokens=1-3 delims= " %%b IN ('type "%%a" ^| findstr "remote" ^| findstr /R "[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*"') DO (
ECHO %%c>>rawvpnip.txt
set rvi=true
)
)
 
IF %rvi% NEQ true (
IF EXIST rawvpnip.txt DEL rawvpnip.txt
ECHO ******************************************************************
ECHO Your .ovpn file does not contain an IP address, it most likely has
ECHO a DNS address ^(e.g. www.google.com - when it should be: 1.1.1.1^)
ECHO This script cannot continue until you rectify this.
ECHO ******************************************************************
PAUSE
GOTO :EOF
)
 
::Remove duplicate IP's, useful IF you have both TCP and UDP .ovpn files
SET n=0
FOR /F "usebackq delims=" %%A IN (rawvpnip.txt) DO (
  SET "skip="
  for /l %%N IN (1 1 !n!) DO IF "%%A"=="!var%%N!" SET skip=1
  IF NOT DEFINED skip (
    ECHO %%A>>vpnip.txt
    SET /a n+=1
    SET "var!n!=%%A"
  )
)
DEL rawvpnip.txt
 
FOR /F "tokens=*" %%a IN ('type vpnip.txt') DO (
IF NOT DEFINED vpnip SET vpnip=%%a
SET vpnip=!vpnip!,%%a
)
DEL vpnip.txt
 
::Delete any older rules that may have been put in place.
ECHO Deleting any rules this script may have made earlier...
netsh advfirewall firewall delete rule name="ALL_LOCAL_OUTBOUND"
netsh advfirewall firewall delete rule name="VPN_RESOLUTION_OUTBOUND"
netsh advfirewall firewall delete rule name="VPN_INTERNET_OUTBOUND"
::VPN Firewall Rules - This actually makes the rules, everything above was just to get the IP's out of the ovpn files automatically.
ECHO.
ECHO.
ECHO Creating all scripts as necessary...
netsh advfirewall firewall add rule name="ALL_LOCAL_OUTBOUND" dir=out action=allow remoteip=LocalSubnet
netsh advfirewall firewall add rule name="VPN_RESOLUTION_OUTBOUND" dir=out action=allow remoteip=%vpnip%
netsh advfirewall firewall add rule name="VPN_INTERNET_OUTBOUND" dir=out action=allow localip=10.4.0.0-10.9.255.255

 

And the execute for activation or deactivation of vpn script: 

@ECHO OFF
SETLOCAL ENABLEDELAYEDEXPANSION
SETLOCAL ENABLEEXTENSIONS
 
SET vpndnsprimary=10.4.0.1
SET vpndnssecondary=10.5.0.1
 
::Put the filename of your preferred OVPN server here. The filename can have spaces
SET yourpreferredovpn=
 
IF NOT DEFINED yourpreferredovpn (
FOR %%f IN ("C:\Program Files (x86)\OpenVPN\config\*.ovpn") DO (
SET /A n+=1
SET "file[!n!]=%%f"
)
SET /A "rand=(n*%random%)/32768+1"
SET yourpreferredovpn="!file[%rand%]!"
)
 
SET apikey=
::Valid options are: disconnect,userinfo
SET apiservice=disconnect
 
::Check what state the firewall is in (VPN ONLY or ALLOW ALL)
FOR /F "tokens=2 delims=," %%a IN ('netsh advfirewall show allprofiles firewallpolicy') DO SET state=%%a
IF "%state%" EQU "BlockOutbound" GOTO :VPN
IF "%state%" EQU "AllowOutbound" GOTO :ALL
IF "%state%" EQU "Ausgehend blockieren" GOTO :VPN
IF "%state%" EQU "Ausgehend zulassen" GOTO :ALL
ECHO %state%
ECHO Your firewall state cannot be determined. Press any key to exit this script.
PAUSE >NUL 2>NUL
GOTO :EOF
 
:VPN
CHOICE /m "The firewall currently allows "ONLY" VPN traffic, do you wish to allow "ALL" traffic?"
IF %ERRORLEVEL% EQU 1 (
::This powershell command allows you to send an API request
IF DEFINED APIKEY (
Powershell.exe -NoProfile -Command ^(New-Object System.Net.WebClient^).DownloadString^('https://airvpn.org/api/?key^=!apikey!^&service^=!apiservice!^&format^=text'^)
)
taskkill /f /im openvpn*
netsh advfirewall SET allprofiles firewallpolicy BlockInbound,AllowOutbound
::Identify all NIC's and set their DNS to DHCP
FOR /F "tokens=2 delims=, skip=2" %%a IN ('"wmic nic where (netconnectionid like '%%') get netconnectionid,netconnectionstatus /format:csv"') DO (
netsh interface ip set dns "%%a" dhcp >NUL 2>NUL
netsh interface set interface name="%%a" disable >NUL 2>NUL
netsh interface set interface name="%%a" enable >NUL 2>NUL
)
#ipconfig /release >NUL 2>NUL
ipconfig /flushdns >NUL 2>NUL
)
GOTO :EOF
 
:ALL
CHOICE /m "The firewall currently allows "ALL" traffic, do you wish to allow "ONLY" VPN traffic?"
IF %ERRORLEVEL% EQU 1 (
netsh advfirewall set allprofiles firewallpolicy BlockInbound,BlockOutbound
::Identify all NIC's and set their DNS to the secure VPN DNS
FOR /F "tokens=2 delims=, skip=2" %%a IN ('"wmic nic where (netconnectionid like '%%') get netconnectionid,netconnectionstatus /format:csv"') DO (
#ipconfig /release >NUL 2>NUL
ipconfig /flushdns >NUL 2>NUL
netsh interface ip set dns "%%a" static %vpndnsprimary% primary validate=no >NUL 2>NUL
netsh interface ip add dns "%%a" %vpndnssecondary% index=2 validate=no >NUL 2>NUL
netsh interface set interface name="%%a" disable >NUL 2>NUL
netsh interface set interface name="%%a" enable >NUL 2>NUL
)
START "" "C:\Program Files\OpenVPN\bin\openvpn-gui.exe" --connect "!yourpreferredovpn!" >NUL 2>NUL
)

 

Cheers,

db

Share this post


Link to post

Hello! I generated .ovpn file and also 2 .bat files, then  i put them to my X:\Program Files\OpenVPN\config\ directory.

after I execute first .bat file with admin option I got an error:

This script cannot continue because it could not find the .ovpn
files required in the same directory as this script.  For reference the directory that this script is in is: ....

 

I made file vpnip.txt with some digits\letters in it in same dir. After I start .bat file it doesn't delete it. What should I do?

 

Win7 32bit.

Share this post


Link to post

Please refer to the creation of the ovpn file on the first page of this guide:

 

OVPN FILE CREATION STEPS


Your .ovpn files need to be generated first.

To do so you need to go to the Config Generator section of your AirVPN Client Area (This place is on THIS website, not a program) with the following boxes checked:
-Advanced Mode (This has to be selected first so the next two can be visible)
-Resolved hosts in .ovpn file
-All servers for area region

 

It is important that you have the "Resolve hosts in .ovpn file" option selected!!!

Otherwise this whole thing does not work.

Share this post


Link to post

Nice to see my stuff is still helping people out.

 

I've updated the main topic with clearer steps, and added some extra things thanks to: dbuero

    -German language support

    -Added a rudimentary bit of code that will select the highest bit version of ovpn you have (some people still install the 32-bit on x64 OS's)

    -Removed the ipconfig /release command (it was only ever there as a 'just in case' thing anyway)

 

Any issues y'all can just let me know.

Share this post


Link to post

If I use Network Lock in Airvpn software, do I need to use the above method?

 

Hello!

 

No, in that case you don't need it and you must not use it.

 

Kind regards

Share this post


Link to post

Hello,

Would like to connect with the TOR option [vpn over tor] offered in preferences > protocols.

 

If the Direct, protocol UDP, port 443 (*) will be chosen like it requires in this instructions and the rest-of instructions will be followed just the same,will the TOR option work? Or what modifications to existing instructions need be made for it to work?

 

Thank you for the support

Share this post


Link to post

Hello,

Would like to connect with the TOR option [vpn over tor] offered in preferences > protocols.

 

If the Direct, protocol UDP, port 443 (*) will be chosen like it requires in this instructions and the rest-of instructions will be followed just the same,will the TOR option work? Or what modifications to existing instructions need be made for it to work?

 

Thank you for the support

 

 

Hello,

 

Tor proxy (just like any socks or http proxy) does not support UDP. OpenVPN will necessarily work in TCP. Please see also https://airvpn.org/tor

 

Kind regards

Share this post


Link to post

How do you suggest correcting an existing DNS leak when using the vpn over tor option with the AirVPN client.

 

Thanks for quick reply.

 

 

 

Hello,

Would like to connect with the TOR option [vpn over tor] offered in preferences > protocols.

 

If the Direct, protocol UDP, port 443 (*) will be chosen like it requires in this instructions and the rest-of instructions will be followed just the same,will the TOR option work? Or what modifications to existing instructions need be made for it to work?

 

Thank you for the support

 

 

Hello,

 

Tor proxy (just like any socks or http proxy) does not support UDP. OpenVPN will necessarily work in TCP. Please see also https://airvpn.org/tor

 

Kind regards

 

Share this post


Link to post

Hi there,

 

I've followed the instructions carefully and keep getting the problem of not being able to find the .ovpn files (even though they are in the folder).

 

When generating the .ovpn files I can't see the option to select All servers for area region. 

 

Any help much appreciated

Share this post


Link to post
Guest

Check this

 

https://airvpn.org/topic/14341-config-generator-resolve-all-ips/?p=28172

 

Hi there,

 

I've followed the instructions carefully and keep getting the problem of not being able to find the .ovpn files (even though they are in the folder).

 

When generating the .ovpn files I can't see the option to select All servers for area region. 

 

Any help much appreciated

Share this post


Link to post

So just to check then... Until the ""All servers for area region" option is back, the instructions contained in this topic won't work? Is there a workaround?

Share this post


Link to post

The script still works with the Config Generator without the "All servers for area region" option. All that did was provide you with all the IP's in fewer config files, which they can't do anymore as you can only have so many IP's in one config file.

Share this post


Link to post

Added extra measures to ensure DNS stuff (in case windows command stuff up from interference from something else)

Share this post


Link to post

Decided to overhaul the script. It is now 1 script instead of 2 and only need you to put your .ovpn files into your OpenVPN installation for it to work.

Share this post


Link to post

Thanks Omniferum!!! Great new script, I much prefer it over the older ones I had been using for a few years.

 

I have one small issue:

 

No matter how many times I run the script, I always see this message:

 

********************************************************************
Could not find IP addresses some, or all, of your .ovpn file(s)
 
Would you like this script to automatically format your .ovpn files?
 
REQUIRES INTERNET CONNECTION
********************************************************************
[Y,N]?
 
If I type Y, then I have the following message: (N just ends the script with no modifications to system)
 
A backup of "C:\Program Files\OpenVPN\config\AirVPN_America_UDP-443.ovpn" alread
y exists, do you wish to overwrite it?
[Y,N]?

 

If I type Y, then it overwrites and moves on to the next 30 .OVPNs I have in the folder. If I type N, then it just moves on in the same fashion, but without overwriting. The point is: I have to type Y or N to 30 ovpns. (Which is just a mild annoyance I guess...)

 

I have followed the instructions for generating the ovpns, but it still says they need formatting. Either way, they shouldn't need formatting after the first time anyway, right?

 

Thanks again!!!

Share this post


Link to post

I have tweaked the backup function so you don't actually have to press Y or N.

 

There is an error in my script that I have fixed (was something I never really tested properly).

 

Use the updated script in the first post.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...