
Blocking all non-VPN traffic (Windows)
#1
Posted 05 May 2012 - 02:06 PM
I'm running windows xp and have set up comodo firewall to block all non-airVPN traffic from utorrent (for when airvpn goes down), as detailed in this thread. https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&Itemid=142
Is it possible to set a global rule which will block all traffic from the computer other than that which goes through the VPN connection? There is a setting for global rules in comodo, but attempting to do it in the same way as for utorrent doesn't seem to work, as it blocks the VPN itself. Basically I'd like to have it set up so that the computer can't connect to the internet at all except through the vpn.
Thanks.
#2
Posted 05 May 2012 - 02:34 PM
Hi,
I'm running windows xp and have set up comodo firewall to block all non-airVPN traffic from utorrent (for when airvpn goes down), as detailed in this thread. https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&Itemid=142
Is it possible to set a global rule which will block all traffic from the computer other than that which goes through the VPN connection? There is a setting for global rules in comodo, but attempting to do it in the same way as for utorrent doesn't seem to work, as it blocks the VPN itself. Basically I'd like to have it set up so that the computer can't connect to the internet at all except through the vpn.
Thanks.
Hello!
Yes, it is possible. Remember to allow packets for your physical network card from and to the entry-IP address of the VPN server you're connected to, otherwise you will block every and each packet as you have experienced. There are several ways to accomplish this. An example is to block everything from and to your network card (NOT going to and coming from the entry-IP address) AND (NOT coming from or going to your TAP-Win32 adapter).
See also:
https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&limit=6&limitstart=30&Itemid=142#2019
Kind regards
#3
Posted 05 May 2012 - 02:51 PM
#4
Posted 05 May 2012 - 03:07 PM
That's great, thanks! How might I go about doing that in comodo (or otherwise)? I've looked through the various global and other ruleset settings, and there's no obvious option to make rules involving my network card or TAP-Win32 adapter. Apologies if I've just overlooked it.
Hello!
With Comodo, first detect the Network Zones corresponding to your adapters (usually Comodo gives them names like Home #1 etc. according to your preferences). Then apply the global rules to those network zones (both when they are the target and the sender) in the tab "Global Rules".
You'll need to know the Network Zone corresponding to your local adapter (10.4.0.0/8) and to your physical adapter (WiFi or Ethernet card). See the tab "Network Zones" inside the "Network Security Policy" menu of the Firewall section in order to detect them.
The Network Zone corresponding to the TAP-Win32 adapter can be authorized to receive and send any packet from any source or to any destination, from/to any port from/to any port.
The Network Zone corresponding to your physical adapter must allow ONLY the packets coming from or going to the entry-IP address of the VPN server or the TAP-Win32 adapter.
Kind regards
#5
Posted 05 May 2012 - 03:33 PM
If I'm reading your reply correctly, then all I have to do is go to global rules and set the network zone corresponding to my physical adapter (wifi card in this case) to allow only traffic from the VPN entry IP address or the the network zone of the TAP-Win32 adapter.
Comodo firewall currently has five network zones listed: one called "Loopback Zone" and four called "Home #1"," Home #2", "Home #3", "Home#4". How do I tell which corresponds to my physical adapter and to the TAP-Win32 adapter?
#6
Posted 05 May 2012 - 03:44 PM
Ok thanks again.
If I'm reading your reply correctly, then all I have to do is go to global rules and set the network zone corresponding to my physical adapter (wifi card in this case) to allow only traffic from the VPN entry IP address or the the network zone of the TAP-Win32 adapter.
Comodo firewall currently has five network zones listed: one called "Loopback Zone" and four called "Home #1"," Home #2", "Home #3", "Home#4". How do I tell which corresponds to my physical adapter and to the TAP-Win32 adapter?
Hello!
You'll need to know the Network Zone corresponding to your TAP-Win32 adapter (10.4.0.0->10.9.255.255 for AirVPN) and to your physical adapter (WiFi in your case). See the tab "Network Zones" inside the "Network Security Policy" menu of the Firewall section in order to detect them. About your WiFi adapter, you can easily locate it if you know its IP address. You can list all the details of your adapters with
ipconfig /all
Kind regards
#7
Posted 05 May 2012 - 04:14 PM
How do I find the entry IP address of the VPN? (Apologies if this is blindingly obvious.)
Also, will the VPN entry IP address be the same each time I connect, assuming that I always use the same airVPN server?
Thanks again

#8
Posted 05 May 2012 - 04:50 PM
Ok great, I have the IP addresses of my physical adapter and TAP-Win32 adapter.
How do I find the entry IP address of the VPN? (Apologies if this is blindingly obvious.)
Also, will the VPN entry IP address be the same each time I connect, assuming that I always use the same airVPN server?
Thanks again
Hello!
The entry-IP address of each server never changes. You can find it in several ways:
- display the connection logs and see which IP address OpenVPN connects to. That IP address is the entry-IP address;
- open the .ovpn OpenVPN configuration file and look at the line "remote" (the entry-IP address is the one specified in that line). You can generate the .ovpn files for any server you wish with our configuration generator;
- (only if already connected): open Comodo Firewall "View Active Connections" and see which IP address openvpn.exe is exchanging packets. That IP address is the entry-IP address.
Kind regards
#9
Posted 05 May 2012 - 05:52 PM
The Network Zone corresponding to the TAP-Win32 adapter can be authorized to receive and send any packet from any source or to any destination, from/to any port from/to any port.
The Network Zone corresponding to your physical adapter must allow ONLY the packets coming from or going to the entry-IP address of the VPN server or the TAP-Win32 adapter.
OK, I've now got the various network zones figured out. In this case the Physical adapter (wifi card) is Home #1 and the TAP-Win32 adapter is Home #3. The VPN entry address appears to be the same as that of my wifi card.
I've tried creating various rules in the "Global rules" tab to match what you've written in your post, but I can't seem to work it out.
What rules do I need to create?
#11
Posted 11 May 2012 - 04:19 PM
I've tried everything said here, as well as the other thread. But the only solution that works for me is still blocking individual applications.
As soon as I implement the suggested global rules in this thread (and the suggestions made in several other threads.. I've tried them all.. even on the Comodo forums) the VPN connection itself is fine, but the AirVPN application crashes... When I shut down this application to try and see if I can connect anew with the new firewall global rules, I cannot. Even though I have entered all the correct addresses. (Triple checked them by now)
Any other workable solution to achieve no possible traffic outside of the VPN?
Thanks in advance!
#12
Posted 16 May 2012 - 10:47 PM
#14
Posted 12 June 2012 - 04:26 PM
Comodo Firewall -> Firewall -> Network Security Policy -> Global Rules -> Add.
Action: Block
Protocol: IP
Direction: In/Out
Source Address: Network Zone - (Your WiFi/Ethernet's zone)
Destination Address: Exclude - IPv4 Single Address - Entry address of server
To find the entry address of a server:
Hello!
The entry-IP address of each server never changes. You can find it in several ways:
- display the connection logs and see which IP address OpenVPN connects to. That IP address is the entry-IP address;
- open the .ovpn OpenVPN configuration file and look at the line "remote" (the entry-IP address is the one specified in that line). You can generate the .ovpn files for any server you wish with our configuration generator;
- (only if already connected): open Comodo Firewall "View Active Connections" and see which IP address openvpn.exe is exchanging packets. That IP address is the entry-IP address.
Kind regards
If you try to connect through the AirVPN client with that rule, you will get a "The remote name could not be resolved: 'airvpn.org'" error. One of the solutions I found was to disable the global rule (Easy way: Edit -> Action: Allow. Destination address: Uncheck exclude) and connect to AirVPN before activating it again. Alternatively, if you do not want to go through the hassle of enabling and disabling the rule every time you disconnect from and reconnect to AirVPN, you can start connecting through OpenVPN instead of the AirVPN client (https://airvpn.org/windows/ scroll down to "Access without AirVPN client.")
For connecting to AirVPN with the AirVPN client, I've tried excluding AirVPN.org's IP address in the rule, but I was still getting the same error. Is there a way to log into the client without having to disable the global rule? Also, is there a difference between blocking IP and blocking TCP&UDP/IMCP?
#15
Posted 12 June 2012 - 04:57 PM
If you try to connect through the AirVPN client with that rule, you will get a "The remote name could not be resolved: 'airvpn.org'" error. One of the solutions I found was to disable the global rule (Easy way: Edit -> Action: Allow. Destination address: Uncheck exclude) and connect to AirVPN before activating it again. Alternatively, if you do not want to go through the hassle of enabling and disabling the rule every time you disconnect from and reconnect to AirVPN, you can start connecting through OpenVPN instead of the AirVPN client (https://airvpn.org/windows/ scroll down to "Access without AirVPN client.")
For connecting to AirVPN with the AirVPN client, I've tried excluding AirVPN.org's IP address in the rule, but I was still getting the same error. Is there a way to log into the client without having to disable the global rule? Also, is there a difference between blocking IP and blocking TCP&UDP/IMCP?
Hello!
The AirVPN client for Windows needs to resolve airvpn.org name in order to download via an encrypted connection certificates and key and then launch OpenVPN, so the quickest workaround is adding the following line to your hosts file:
46.105.19.36 airvpn.org
In this way airvpn.org will be resolved without the need of a DNS query outside the tunnel which is correctly blocked with your rules when you are not connected to an Air server. You will still have to authorize packets from and to 46.105.19.36 in the firewall.
Of course if we change the IP address of our frontend you will have to update your hosts file.
Kind regards
#16
Posted 18 June 2012 - 12:52 PM
*Added to host file - 46.105.19.36 airvpn.org
Action: Allow
Protocol: IP
Direction: In/Out
Source Address: Any
Destination Address: IPv4 Single Address - 46.105.19.36
Action: Block
Protocol: IP
Direction: In/Out
Source Address: Network Zone - (Your WiFi/Ethernet's zone)
Destination Address: Exclude - IPv4 Single Address - Entry address of server (This case it is Sirius)
Why can't you exclude the range 10.4.0.0 - 10.9.255.255 instead of the entry address of an individual server? Is there a way to exclude all servers IP's at once? When I try to allow the range it logs into the Air client but doesn't connect to any servers. With the single entry IP I can only connect to the one server I have listed. So close to working!
#17
Posted 18 June 2012 - 05:38 PM
Why can't you exclude the range 10.4.0.0 - 10.9.255.255 instead of the entry address of an individual server? Is there a way to exclude all servers IP's at once? When I try to allow the range it logs into the Air client but doesn't connect to any servers. With the single entry IP I can only connect to the one server I have listed. So close to working!
To be honest, I had no idea what I was doing and was just messing with the settings while following what Admin said in page 1.
My guess is that the firewall is set to block connections to/from the entry addresses of other servers, so add a rule for each server to allow connections to their entry servers. Allow - IP - In/Out - Any - IPv4 Single Address (entry address)
#18
Posted 19 June 2012 - 03:12 AM
My guess is that the firewall is set to block connections to/from the entry addresses of other servers, so add a rule for each server to allow connections to their entry servers. Allow - IP - In/Out - Any - IPv4 Single Address (entry address)
I have been trying to add separate rules and it won't allow me to connect after adding rules for more than 1 server. It's confusing me, it doesn't make sense.
#19
Posted 19 June 2012 - 07:59 AM
I have been trying to add separate rules and it won't allow me to connect after adding rules for more than 1 server. It's confusing me, it doesn't make sense.
Did you add the new rules on top of the block rule?
I added an "Allow IP In/Out From MAC Any To IP <Entry address> Where Protocol Is Any" rule for each server and I have no problems connecting to any of them.
#20
Posted 19 June 2012 - 03:05 PM
Connect AirVPN - 46.105.19.36
Omicron - 89.149.226.185
Tauri - 46.165.208.65
Delphini - 146.185.25.170
Lyra - 62.212.85.65
Leonis - 85.17.123.26
Orionis - 95.211.98.154
Castor - 95.211.169.3
Draconis - 178.248.29.132
Vega - 69.163.36.66
Sirius - 108.59.8.147
Similar Topics
Topic | Forum | Started By | Stats | Last Post Info | |
---|---|---|---|---|---|
[win10] Installed a new network card, Eddie now hangs at "Checking IPv4" |
Troubleshooting and Problems | fatalist.remix |
|
![]() |
|
Network Lock blocking local LAN even though option to allow is on. |
Eddie - AirVPN Client | kbps |
|
![]() |
|
Speed problems with TAP driver from Eddie in KVM windows machine |
Troubleshooting and Problems | jimdoo |
|
![]() |
|
Rarbg.com US dowload traffic blocked, CA web page blocked![]() |
Blocked websites warning | jimdasaint |
|
![]() |
|
Windows 10 -- Cannot connect automatically using OpenVPN GUI![]() |
Troubleshooting and Problems | boggleholeclough^ |
|
![]() |
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users