Previous thread on Windows and Comodo to prevent DNS leaks and leaks in case of unexpected VPN disconnection have become very big and detailed. We invite you to consult those threads for details and support, while we publish this message as a quick, clarifying overview of the essential steps.
Please note that if you don't use Windows you don't need to read this post. If you use Windows and a firewall other than Comodo, you can anyway take these rules as an example and adapt them to your firewall.
This is a minimal set of instructions to prevent any leak in case of unexpected VPN disconnection and prevent, in any case, DNS leaks, on Windows system with Comodo firewall. Comodo firewall is currently the only firewall we recommend for Windows. The free version is just fine for our purposes.
Never rename the rules: in case you need support, we need to see what the rules really state.
1) If you're not familiar with a firewall, read Comodo Firewall manual or guides. In particular, please see the following:
2) Install Comodo Personal Firewall free version available here: https://personalfirewall.comodo.com/
3) Set the Firewall Security Level to "Custom Policy"
if you need OpenVPN over SSH/SSL and other alternative connection modes, see also https://airvpn.org/specs
5) Determine the entry-IP addresses of the AirVPN server(s) you wish to connect to: https://airvpn.org/topic/14378-how-can-i-get-vpn-servers-entry-ip-addresses
6) Define a "Global Rule" which blocks everything:
Block And Log IP In/Out From MAC Any To MAC Any Where Protocol Is Any
The logging is important for troubleshooting if necessary.
7) Put the above Global Rule in the top position. This will block completely your connectivity and let you add a whitelist of Allow global rules put BEFORE this total block global rule. All the "Allow" rules that you want to be evaluated shall be put BEFORE (i.e. higher than) the above block rule.
8) Define a"Global" rule which allows in/out communications of your TAP-Win32 adapter ("AirVPN") both In and Out:
Allow IP In/Out From In [AirVPN] To MAC Any Where Protocol Is Any
Allow IP In/Out From MAC Any To In [AirVPN] Where Protocol Is Any
9) Do the same for your loopback zone (IP range 127.0.0.1 - 127.255.255.254)
Allow IP In/Out From In [Loopback Zone] to MAC Any Where Protocol Is Any
Allow IP In/Out From MAC Any To In [Loopback Zone] Where Protocol Is Any
10) Do the same for any entry-IP address of the VPN servers you wish to connect to. For example for Leporis:
Allow TCP or UDP In/Out From IP 18.104.22.168 To MAC Any Where Source Port Is Any And Destination Port Is Any
Allow TCP or UDP In/Out From MAC Any To IP 22.214.171.124 Where Source Port Is Any And Destination Port Is Any
For your comfort, you might define a Network Zone (for example [Air servers entry IPs]) containing only the entry-IP addresses of our servers and then set two rules like
Allow TCP or UDP In/Out From In [Air servers entry IPs] To MAC Any Where Source Port Is Any And Destination Port Is Any
Allow TCP or UDP In/Out From MAC Any To In [Air servers entry IPs] Where Source Port Is Any And Destination Port Is Any
In this way, you will only need to add a single IPv4 address to that Network Zone in order to connect to a new server, instead of defining two additional rules for each server, which may be annoying if you switch between a lot of servers.
11) Add similar rules to allow communications of your device with your router (and within your home/office network, if you wish so). For example, if your network is [192.168.0.0 / 255.255.0.0] define a network zone with IP Range [192.168.0.0 - 192.168.255.255] (let's call it "Home Network") and set the following rules:
Allow TCP In/Out From In [Home Network] To In [Home Network] Where Source Port Is Any And Destination Port Is Any
Allow UDP In/Out From In [Home Network] To In [Home Network] Where Source Port Is Any And Destination Port Is Not 53
Allow ICMP In/Out From In [Home Network] To In [Home Network] Where ICMP Message Is Any
11a) Allow DHCP "negotiation":
Allow IP In/Out From MAC Any To IP 255.255.255.255 Where Protocol Is Any
12) In order to allow "airvpn.org" resolution even when disconnected (and any other hostname you wish to be resolved even when VPN is disconnected), add to your hosts file the line:
Do not forget about this change! If we change our main frontend IP address, you will not be able to reach airvpn.org anymore until you remove that line. No more necessary starting with Air client edition 2 "Eddie".
13) If you use the Air client, add rules to allow communications with IP addresses 126.96.36.199 and 188.8.131.52 (two of our frontend servers), In and Out
Allow TCP or UDP In/Out From IP 184.108.40.206 To MAC Any Where Source Port Is Any And Destination Port Is Any
Allow TCP or UDP In/Out From MAC Any To IP 220.127.116.11 Where Source Port Is Any And Destination Port Is Any
Allow TCP or UDP In/Out From IP 18.104.22.168 To MAC Any Where Source Port Is Any And Destination Port Is Any
Allow TCP or UDP In/Out From MAC Any To IP 22.214.171.124 Where Source Port Is Any And Destination Port Is Any
14) You can progressively enlarge your whitelist just by adding "Allow" rules before the total blocking rule of point 6) according to your system needs.
Keep in mind that there are literally dozens of ways to accomplish the same task with Comodo.
Pay attention not to confuse the "-" symbol, which stands for "IP range", with the "/" symbol, which stands for IP address / NetMask. For example, [10.4.0.0 - 10.9.255.255] is correct (the IP range from 10.4.0.0 to 10.9.255.255), while [10.4.0.0 / 10.9.255.255] is NOT correct (IP 10.4.0.0 NetMask 10.9.255.255, which covers almost every existing IP address!).
When you have defined all the rules, do not forget to click "Apply" and "OK" in order to store them and make them active for any new connection. Test everything and do not be afraid to experiment before you rely on the secured connection for sensitive data transmissions.