Jump to content


Photo
- - - - -

Blocking all non-VPN traffic (Windows)


  • Please log in to reply
118 replies to this topic

#1 JJNF_83585

JJNF_83585

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 05 May 2012 - 02:06 PM

Hi,

I'm running windows xp and have set up comodo firewall to block all non-airVPN traffic from utorrent (for when airvpn goes down), as detailed in this thread. https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&Itemid=142

Is it possible to set a global rule which will block all traffic from the computer other than that which goes through the VPN connection? There is a setting for global rules in comodo, but attempting to do it in the same way as for utorrent doesn't seem to work, as it blocks the VPN itself. Basically I'd like to have it set up so that the computer can't connect to the internet at all except through the vpn.

Thanks.

#2 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7699 posts

Posted 05 May 2012 - 02:34 PM

Hi,

I'm running windows xp and have set up comodo firewall to block all non-airVPN traffic from utorrent (for when airvpn goes down), as detailed in this thread. https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&Itemid=142

Is it possible to set a global rule which will block all traffic from the computer other than that which goes through the VPN connection? There is a setting for global rules in comodo, but attempting to do it in the same way as for utorrent doesn't seem to work, as it blocks the VPN itself. Basically I'd like to have it set up so that the computer can't connect to the internet at all except through the vpn.

Thanks.



Hello!

Yes, it is possible. Remember to allow packets for your physical network card from and to the entry-IP address of the VPN server you're connected to, otherwise you will block every and each packet as you have experienced. There are several ways to accomplish this. An example is to block everything from and to your network card (NOT going to and coming from the entry-IP address) AND (NOT coming from or going to your TAP-Win32 adapter).

See also:
https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&limit=6&limitstart=30&Itemid=142#2019

Kind regards

#3 JJNF_83585

JJNF_83585

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 05 May 2012 - 02:51 PM

That's great, thanks! How might I go about doing that in comodo (or otherwise)? I've looked through the various global and other ruleset settings, and there's no obvious option to make rules involving my network card or TAP-Win32 adapter. Apologies if I've just overlooked it.

#4 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7699 posts

Posted 05 May 2012 - 03:07 PM

That's great, thanks! How might I go about doing that in comodo (or otherwise)? I've looked through the various global and other ruleset settings, and there's no obvious option to make rules involving my network card or TAP-Win32 adapter. Apologies if I've just overlooked it.



Hello!

With Comodo, first detect the Network Zones corresponding to your adapters (usually Comodo gives them names like Home #1 etc. according to your preferences). Then apply the global rules to those network zones (both when they are the target and the sender) in the tab "Global Rules".

You'll need to know the Network Zone corresponding to your local adapter (10.4.0.0/8) and to your physical adapter (WiFi or Ethernet card). See the tab "Network Zones" inside the "Network Security Policy" menu of the Firewall section in order to detect them.

The Network Zone corresponding to the TAP-Win32 adapter can be authorized to receive and send any packet from any source or to any destination, from/to any port from/to any port.

The Network Zone corresponding to your physical adapter must allow ONLY the packets coming from or going to the entry-IP address of the VPN server or the TAP-Win32 adapter.

Kind regards

#5 JJNF_83585

JJNF_83585

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 05 May 2012 - 03:33 PM

Ok thanks again.

If I'm reading your reply correctly, then all I have to do is go to global rules and set the network zone corresponding to my physical adapter (wifi card in this case) to allow only traffic from the VPN entry IP address or the the network zone of the TAP-Win32 adapter.

Comodo firewall currently has five network zones listed: one called "Loopback Zone" and four called "Home #1"," Home #2", "Home #3", "Home#4". How do I tell which corresponds to my physical adapter and to the TAP-Win32 adapter?

#6 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7699 posts

Posted 05 May 2012 - 03:44 PM

Ok thanks again.

If I'm reading your reply correctly, then all I have to do is go to global rules and set the network zone corresponding to my physical adapter (wifi card in this case) to allow only traffic from the VPN entry IP address or the the network zone of the TAP-Win32 adapter.

Comodo firewall currently has five network zones listed: one called "Loopback Zone" and four called "Home #1"," Home #2", "Home #3", "Home#4". How do I tell which corresponds to my physical adapter and to the TAP-Win32 adapter?



Hello!

You'll need to know the Network Zone corresponding to your TAP-Win32 adapter (10.4.0.0->10.9.255.255 for AirVPN) and to your physical adapter (WiFi in your case). See the tab "Network Zones" inside the "Network Security Policy" menu of the Firewall section in order to detect them. About your WiFi adapter, you can easily locate it if you know its IP address. You can list all the details of your adapters with
ipconfig /all


Kind regards

#7 JJNF_83585

JJNF_83585

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 05 May 2012 - 04:14 PM

Ok great, I have the IP addresses of my physical adapter and TAP-Win32 adapter.

How do I find the entry IP address of the VPN? (Apologies if this is blindingly obvious.)

Also, will the VPN entry IP address be the same each time I connect, assuming that I always use the same airVPN server?

Thanks again :)

#8 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7699 posts

Posted 05 May 2012 - 04:50 PM

Ok great, I have the IP addresses of my physical adapter and TAP-Win32 adapter.

How do I find the entry IP address of the VPN? (Apologies if this is blindingly obvious.)

Also, will the VPN entry IP address be the same each time I connect, assuming that I always use the same airVPN server?

Thanks again :)



Hello!

The entry-IP address of each server never changes. You can find it in several ways:

- display the connection logs and see which IP address OpenVPN connects to. That IP address is the entry-IP address;
- open the .ovpn OpenVPN configuration file and look at the line "remote" (the entry-IP address is the one specified in that line). You can generate the .ovpn files for any server you wish with our configuration generator;
- (only if already connected): open Comodo Firewall "View Active Connections" and see which IP address openvpn.exe is exchanging packets. That IP address is the entry-IP address.

Kind regards

#9 JJNF_83585

JJNF_83585

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 05 May 2012 - 05:52 PM



The Network Zone corresponding to the TAP-Win32 adapter can be authorized to receive and send any packet from any source or to any destination, from/to any port from/to any port.

The Network Zone corresponding to your physical adapter must allow ONLY the packets coming from or going to the entry-IP address of the VPN server or the TAP-Win32 adapter.




OK, I've now got the various network zones figured out. In this case the Physical adapter (wifi card) is Home #1 and the TAP-Win32 adapter is Home #3. The VPN entry address appears to be the same as that of my wifi card.

I've tried creating various rules in the "Global rules" tab to match what you've written in your post, but I can't seem to work it out.

What rules do I need to create?

#10 JJNF_83585

JJNF_83585

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 10 May 2012 - 06:53 PM

I'm still trying to work out a firewall ruleset that works (or any other way of solving this problem)

If anyone has any ideas as to how we might get this to work, it would be very helpful :)

#11 65147875

65147875

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 11 May 2012 - 04:19 PM

I would also quite like a good explanation or guide on how to achieve this. (No internet traffic at all except through the VPN)
I've tried everything said here, as well as the other thread. But the only solution that works for me is still blocking individual applications.
As soon as I implement the suggested global rules in this thread (and the suggestions made in several other threads.. I've tried them all.. even on the Comodo forums) the VPN connection itself is fine, but the AirVPN application crashes... When I shut down this application to try and see if I can connect anew with the new firewall global rules, I cannot. Even though I have entered all the correct addresses. (Triple checked them by now)

Any other workable solution to achieve no possible traffic outside of the VPN?

Thanks in advance!

#12 spocko123

spocko123

    Member

  • Members
  • PipPip
  • 14 posts

Posted 16 May 2012 - 10:47 PM

Yes! a guide would be awesome, I'm liking this vpn a lot, a bit tricky at first ( I'm an idiot). But I also would prefer to stop all incoming and outgoing traffic unless I'm on the VPN. If it's possible this thread should be stuck at the top "Sticky" and solved?

#13 MrConducter

MrConducter

    Advanced Member

  • Members
  • PipPipPip
  • 96 posts

Posted 18 May 2012 - 01:25 AM

Bump, curious.

#14 greg

greg

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 12 June 2012 - 04:26 PM

I messed around with Comodo Firewall's settings for a bit and I think I found a solution.

Comodo Firewall -> Firewall -> Network Security Policy -> Global Rules -> Add.

Action: Block
Protocol: IP
Direction: In/Out
Source Address: Network Zone - (Your WiFi/Ethernet's zone)
Destination Address: Exclude - IPv4 Single Address - Entry address of server

To find the entry address of a server:


Hello!

The entry-IP address of each server never changes. You can find it in several ways:

- display the connection logs and see which IP address OpenVPN connects to. That IP address is the entry-IP address;
- open the .ovpn OpenVPN configuration file and look at the line "remote" (the entry-IP address is the one specified in that line). You can generate the .ovpn files for any server you wish with our configuration generator;
- (only if already connected): open Comodo Firewall "View Active Connections" and see which IP address openvpn.exe is exchanging packets. That IP address is the entry-IP address.

Kind regards



If you try to connect through the AirVPN client with that rule, you will get a "The remote name could not be resolved: 'airvpn.org'" error. One of the solutions I found was to disable the global rule (Easy way: Edit -> Action: Allow. Destination address: Uncheck exclude) and connect to AirVPN before activating it again. Alternatively, if you do not want to go through the hassle of enabling and disabling the rule every time you disconnect from and reconnect to AirVPN, you can start connecting through OpenVPN instead of the AirVPN client (https://airvpn.org/windows/ scroll down to "Access without AirVPN client.")

For connecting to AirVPN with the AirVPN client, I've tried excluding AirVPN.org's IP address in the rule, but I was still getting the same error. Is there a way to log into the client without having to disable the global rule? Also, is there a difference between blocking IP and blocking TCP&UDP/IMCP?

#15 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7699 posts

Posted 12 June 2012 - 04:57 PM


If you try to connect through the AirVPN client with that rule, you will get a "The remote name could not be resolved: 'airvpn.org'" error. One of the solutions I found was to disable the global rule (Easy way: Edit -> Action: Allow. Destination address: Uncheck exclude) and connect to AirVPN before activating it again. Alternatively, if you do not want to go through the hassle of enabling and disabling the rule every time you disconnect from and reconnect to AirVPN, you can start connecting through OpenVPN instead of the AirVPN client (https://airvpn.org/windows/ scroll down to "Access without AirVPN client.")

For connecting to AirVPN with the AirVPN client, I've tried excluding AirVPN.org's IP address in the rule, but I was still getting the same error. Is there a way to log into the client without having to disable the global rule? Also, is there a difference between blocking IP and blocking TCP&UDP/IMCP?



Hello!

The AirVPN client for Windows needs to resolve airvpn.org name in order to download via an encrypted connection certificates and key and then launch OpenVPN, so the quickest workaround is adding the following line to your hosts file:
46.105.19.36 airvpn.org

In this way airvpn.org will be resolved without the need of a DNS query outside the tunnel which is correctly blocked with your rules when you are not connected to an Air server. You will still have to authorize packets from and to 46.105.19.36 in the firewall.

Of course if we change the IP address of our frontend you will have to update your hosts file.

Kind regards

#16 MrConducter

MrConducter

    Advanced Member

  • Members
  • PipPipPip
  • 96 posts

Posted 18 June 2012 - 12:52 PM

Hello. I have been working on this for awhile and Air hasn't really put out a tutorial on it despite so many clients being interested. Thank you greg for the post! Here is what I have in Comodo.

*Added to host file - 46.105.19.36 airvpn.org

Action: Allow
Protocol: IP
Direction: In/Out
Source Address: Any
Destination Address: IPv4 Single Address - 46.105.19.36

Action: Block
Protocol: IP
Direction: In/Out
Source Address: Network Zone - (Your WiFi/Ethernet's zone)
Destination Address: Exclude - IPv4 Single Address - Entry address of server (This case it is Sirius)

Why can't you exclude the range 10.4.0.0 - 10.9.255.255 instead of the entry address of an individual server? Is there a way to exclude all servers IP's at once? When I try to allow the range it logs into the Air client but doesn't connect to any servers. With the single entry IP I can only connect to the one server I have listed. So close to working!

#17 greg

greg

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 18 June 2012 - 05:38 PM

Why can't you exclude the range 10.4.0.0 - 10.9.255.255 instead of the entry address of an individual server? Is there a way to exclude all servers IP's at once? When I try to allow the range it logs into the Air client but doesn't connect to any servers. With the single entry IP I can only connect to the one server I have listed. So close to working!



To be honest, I had no idea what I was doing and was just messing with the settings while following what Admin said in page 1.

My guess is that the firewall is set to block connections to/from the entry addresses of other servers, so add a rule for each server to allow connections to their entry servers. Allow - IP - In/Out - Any - IPv4 Single Address (entry address)

#18 MrConducter

MrConducter

    Advanced Member

  • Members
  • PipPipPip
  • 96 posts

Posted 19 June 2012 - 03:12 AM


My guess is that the firewall is set to block connections to/from the entry addresses of other servers, so add a rule for each server to allow connections to their entry servers. Allow - IP - In/Out - Any - IPv4 Single Address (entry address)



I have been trying to add separate rules and it won't allow me to connect after adding rules for more than 1 server. It's confusing me, it doesn't make sense.

#19 greg

greg

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 19 June 2012 - 07:59 AM

I have been trying to add separate rules and it won't allow me to connect after adding rules for more than 1 server. It's confusing me, it doesn't make sense.



Did you add the new rules on top of the block rule?

I added an "Allow IP In/Out From MAC Any To IP <Entry address> Where Protocol Is Any" rule for each server and I have no problems connecting to any of them.

Attached Thumbnails

  • globalsettings.png


#20 MrConducter

MrConducter

    Advanced Member

  • Members
  • PipPipPip
  • 96 posts

Posted 19 June 2012 - 03:05 PM

Thanks for the screenshot. I think I got it working, but how did you allow "all"? Probably doesn't matter but just curious. Also what is [AirVPN - Sirius], just 108.59.8.147 I'm assuming. Here are all the IP's you need in text format for anyone else working on this. Cheers.

Connect AirVPN - 46.105.19.36
Omicron - 89.149.226.185
Tauri - 46.165.208.65
Delphini - 146.185.25.170
Lyra - 62.212.85.65
Leonis - 85.17.123.26
Orionis - 95.211.98.154
Castor - 95.211.169.3
Draconis - 178.248.29.132
Vega - 69.163.36.66
Sirius - 108.59.8.147





Similar Topics Collapse

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Servers online. Online Sessions: 12894 - BW: 42944 Mbit/sYour IP: 52.91.90.122Guest Access.