ANSWERED Blocking non-VPN traffic with Windows Firewall

[Omniferum 9]

---------------------------------------------------------

SECURE YOUR WINDOWS VPN CONNECTION

This script will allow your Windows OS to flip between secure VPN traffic and normal traffic mode.

 

    -Secure VPN mode: Allows 'only' secure VPN traffic, this script also prevents the 'DNS leak' problem you might have read about.

    -Normal traffic mode: Your normal internet

 

I wrote this for people with little know-how of computers but need security without complication.

 

This is a simple script that you double-click to flip between 'normal internet' mode and 'Secure VPN Mode'. When in 'Secure VPN Mode' your computer completely prevents DNS leaks and will deny ALL internet traffic that is not VPN.

It still allows LAN access so your servers/network's existing setup won't be affected by it.

 

Requirements:

    -My windows batch script

    -Your VPN's .ovpn files

    -You need to the DNS servers of your VPN (Note: Not all VPN's provide them, but all the good ones do)

    -Windows Vista/7/8/10 (These are the OS' that come default installed/enabled with Windows Firewall)

 

---------------------------------------------------------

 

STEP 1 - Download your .ovpn file(s) from your VPN provider

 

STEP 2 - Place those .ovpn files into your OpenVPN config directory

This folder is usually: C:\Program Files\OpenVPN\config

 

STEP 3 - Creating the .bat file

-Create an empty .txt file and open it up

-Copy and paste everything in the code box below into the empty .txt file

-Edit the line near the top that says SET YOUR_VPN_PRIMARY_DNS= <- Put YOUR VPN's DNS address after the equal sign (AirVPN is 10.4.0.1 - this is what I use, so I left it as the default)

-Save the file

-Rename the .txt file extension to .bat (e.g. FirewallFlip.txt -> FirewallFlip.bat)

 

BATCH FILE - FIREWALL FLIPPER

@ECHO OFF
SETLOCAL ENABLEDELAYEDEXPANSION
SETLOCAL ENABLEEXTENSIONS

REM -------------------
REM MANDATORY VARIABLES
REM -------------------
REM This section is required to prevent DNS leaks
REM Example VPN DNS servers: AirVPN's are 10.4.0.1 and 10.5.0.1
REM THIS VARIABLE CANNOT BE BLANK AND MUST BE CHANGED TO YOUR VPN'S DNS SERVER
    SET YOUR_VPN_PRIMARY_DNS=10.4.0.1
REM ------------------
REM OPTIONAL VARIABLES
REM ------------------
REM Put the filename of your preferred OVPN server here
REM Leave blank to let this script select one at random for you
REM Example filename you would enter here: AirVPN_America_UDP-443.ovpn
    SET YOUR_PREFERRED_OVPN=
REM Enter your backup/secondary DNS here
    SET YOUR_VPN_SECONDARY_DNS=10.5.0.1
REM Your preferred public DNS servers (e.g. Google is 8.8.8.8 and OpenDNS is 10.5.0.1)
REM These are usually superior to the ones your ISP provides you with
REM If you clear these values then your ISP DNS will be used
    SET YOUR_PUBLIC_PRIMARY_DNS=8.8.8.8
    SET YOUR_PUBLIC_SECONDARY_DNS=208.67.220.220

REM Basic error check
    IF NOT DEFINED YOUR_VPN_PRIMARY_DNS (
        ECHO WARNING
        ECHO -------
        ECHO You have not set the YOUR_VPN_PRIMARY_DNS variable in this script
        ECHO.
        ECHO Open %~nx0 and edit the necessary line
        ECHO.
        ECHO This script CANNOT continue until you do so
        ECHO.
        ECHO Press any key to exit...
        PAUSE >NUL 2>NUL
        GOTO :EOF
    )
REM Finding your OpenVPN Installation
    IF EXIST "C:\Program Files (x86)\OpenVPN" SET OpenVPN=C:\Program Files (x86)\OpenVPN
    IF EXIST "C:\Program Files\OpenVPN" SET OpenVPN=C:\Program Files\OpenVPN
    IF NOT DEFINED OpenVPN (
        ECHO Your OpenVPN installation was not found, press any key to exit...
        PAUSE >NUL 2>NUL
        GOTO :EOF
    )
REM Basic error check
    IF NOT EXIST "%OpenVPN%\config\*.ovpn" (
        ECHO ******************************************************************
        ECHO This script cannot continue because it could not find the .ovpn
        ECHO files required in: "%OpenVPN%\config"
        ECHO.
        ECHO Please copy your .ovpn files into the above directory for this
        ECHO script to work.
        ECHO ******************************************************************
        PAUSE
        GOTO :EOF
    )

SET "FIREWALL_FLIP_BACKUP_FOLDER=%OpenVPN%\FIREWALL_FLIP_BACKUP"
IF NOT EXIST "%FIREWALL_FLIP_BACKUP_FOLDER%" MD "%FIREWALL_FLIP_BACKUP_FOLDER%"

REM Finding the network adapter used by OpenVPN
    FOR /F "tokens=1-3 delims='{" %%a IN ('"%OpenVPN%\bin\openvpn.exe" --show-adapters ^| findstr {') DO (
        SET VPN_ADAPTER=%%a
        SET VPN_ADAPTER_GUID={%%c
    )
REM Checking config file limit
    FOR /F "tokens=1 delims= " %%a IN ('DIR "%OpenVPN%\config\*.ovpn" ^| findstr File^(s^)') DO (
        IF %%a GTR 50 (
            ECHO You have %%a config files in your OpenVPN config folder
            ECHO.
            ECHO OpenVPN only supports a maximum of 50, so you will need to delete some
            ECHO.
            ECHO This script has made no modifications to the system
            ECHO Press any key to exit...
            PAUSE >NUL 2>NUL
            GOTO :EOF
        )
    )
REM Checking if any of the addresses aren't fully resolved
    FOR %%a IN ("%OpenVPN%\config\*.ovpn") DO (
        FOR /F "tokens=2-3 delims= " %%b IN ('findstr "remote " "%%a" ^| findstr \.') DO (
            ECHO %%b | findstr [a-z] && SET OVPN_FORMATTED=NO
        )
    )
    IF "!OVPN_FORMATTED!" EQU "NO" (
        ECHO ********************************************************************
        ECHO Could not find IP addresses for some, or all, of your .ovpn file^(s^)
        ECHO.
        ECHO Would you like this script to automatically format your .ovpn files?
        ECHO.
        ECHO REQUIRES INTERNET CONNECTION
        ECHO ********************************************************************
        CHOICE
        IF !ERRORLEVEL! EQU 1 (
            FOR %%f IN ("%OpenVPN%\config\*.ovpn") DO (
                SET "OVPN_BACKUP_FILE=%OpenVPN%\FIREWALL_FLIP_BACKUP\Backup_%%~nxf"
                REM Create backup of your .ovpn file
                IF NOT EXIST "!FIREWALL_FLIP_BACKUP_FOLDER!" MD "!FIREWALL_FLIP_BACKUP_FOLDER!" >NUL 2>NUL
                IF NOT EXIST "!OVPN_BACKUP_FILE!" (
                    COPY /Y "%%f" "!OVPN_BACKUP_FILE!" >NUL 2>NUL
                ) ELSE (
                    ECHO A backup of "%%f" already exists, do you wish to overwrite it?
                    CHOICE
                    IF !ERRORLEVEL! EQU 1 (
                        COPY /Y "%%f" "!OVPN_BACKUP_FILE!" >NUL 2>NUL
                    )
                )
                REM Get your VPN server name and port
                FOR /F "tokens=2-3 delims= " %%a IN ('findstr "remote " "%%f" ^| findstr \.') DO (
                    SET VPN_SERVER_NAME=%%a
                    SET VPN_SERVER_PORT=%%b
                )
                ECHO !VPN_SERVER_NAME! | findstr [a-z] >NUL 2>NUL && (
                    REM Resolve the server name to an IP
                    FOR /F "tokens=2 delims=[]" %%a IN ('ping -n 1 !VPN_SERVER_NAME! ^| findstr [') DO (
                        SET VPN_SERVER_IP=%%a
                    )
                    REM Replace the VPN server name with its direct IP
                    >"%%f" (
                        FOR /F "usebackq tokens=*" %%a IN ("!OVPN_BACKUP_FILE!") DO (
                            IF "%%a" EQU "remote !VPN_SERVER_NAME! !VPN_SERVER_PORT!" (
                                ECHO remote !VPN_SERVER_IP! !VPN_SERVER_PORT!
                            ) ELSE (
                                ECHO %%a
                            )
                        )
                    )
                )
            )
        ) ELSE (
            ECHO.
            ECHO This script has made no modifications to the system.
            ECHO Press any key to exit...
            PAUSE >NUL 2>NUL
            GOTO :EOF
        )
    )
REM If you haven't set the variable YOUR_PREFERRED_OVPN this bit of code will select one at random from the OpenVPN config folder where all your .ovpn files are stored.
    IF DEFINED YOUR_PREFERRED_OVPN GOTO :CURRENT_STATE
    IF "!YOUR_PREFERRED_OVPN!" EQU "" (
        FOR /F "tokens=1 delims= " %%a IN ('DIR "%OpenVPN%\config\*.ovpn" ^| findstr /C:" File(s)"') DO SET /A "rand=%RANDOM% %% %%a+1"
        FOR %%f IN ("%OpenVPN%\config\*.ovpn") DO (
            SET /A num+=1
            IF !num! EQU !rand! SET "YOUR_PREFERRED_OVPN=%%~nxf"
        )
    )

:CURRENT_STATE
    REM Check what state the firewall is in (VPN ONLY or ALLOW ALL)
    CLS
    FOR /F "tokens=2 delims=," %%a IN ('netsh advfirewall show allprofiles firewallpolicy') DO SET state=%%a
    IF "%state%" EQU "BlockOutbound" GOTO :VPN_TO_ALL
    IF "%state%" EQU "Ausgehend blockieren" GOTO :VPN_TO_ALL
    IF "%state%" EQU "AllowOutbound" GOTO :ALL_TO_VPN
    IF "%state%" EQU "Ausgehend zulassen" GOTO :ALL_TO_VPN
    ECHO Your firewall state cannot be determined...
    ECHO.
    ECHO This script has made no modifications to the system.
    ECHO Press any key to exit...
    PAUSE >NUL 2>NUL
    GOTO :EOF
:VPN_TO_ALL
    ECHO.
    ECHO --------------------------------------------------
    ECHO ^|The firewall currently allows "ONLY VPN" traffic^|
    ECHO --------------------------------------------------
    ECHO.
    ECHO Do you wish to allow "ALL" traffic?
    CHOICE
    IF !ERRORLEVEL! EQU 1 (
        CLS
        ECHO ------------------------------------------------
        ECHO Configuring your computer to allow "ALL" traffic
        ECHO ------------------------------------------------
        ECHO.
        REM Firewall .wfw backup file
        IF NOT EXIST "%FIREWALL_FLIP_BACKUP_FOLDER%\PRE_VPN_FIREWALL_RULES_BACK.wfw" (
            ECHO.
            ECHO.
            ECHO *******************************************************************************
            ECHO The firewall rules backup this script made could not be found...
            ECHO.
            ECHO Something has happened to the file:
            ECHO "%FIREWALL_FLIP_BACKUP_FOLDER%\PRE_VPN_FIREWALL_RULES_BACK.wfw"
            ECHO *******************************************************************************
            ECHO.
            ECHO Would you like to automatically reset your windows firewall to default rules?
            ECHO This is perfectly safe to do, but it will reset your firewall prompts.
            REM Reset windows firewall if rules backup not found
            CHOICE
            IF !ERRORLEVEL! EQU 1 (
                netsh advfirewall reset >NUL 2>NUL
            ) ELSE (
                ECHO.
                ECHO This script has made no modifications to the system.
                ECHO Press any key to exit...
                PAUSE >NUL 2>NUL
                GOTO :EOF
            )
        )
        REM Delete all current firewall rules
        netsh advfirewall firewall delete rule name=all >NUL 2>NUL
        ECHO All firewall rules cleared
        ECHO.
        REM Terminate OpenVPN
        taskkill /f /im openvpn* >NUL 2>NUL
        ECHO OpenVPN Terminated
        ECHO.
        REM Identify all NIC's and set their DNS
        ECHO.
        ECHO.
        ECHO Sanitizing and configuring your network adaptors
        ECHO ------------------------------------------------
        ECHO.
        FOR /F "tokens=2 delims=, skip=2" %%a IN ('"wmic nic where PhysicalAdapter=TRUE get netconnectionid /format:csv"') DO (
			ECHO "%%a" | findstr OpenVPN || (
				SET "adapter=%%a"
				SET dnsprimary=!YOUR_PUBLIC_PRIMARY_DNS!
				SET dnssecondary=!YOUR_PUBLIC_SECONDARY_DNS!
				CALL :ADAPTER_CONFIG
			)
        )
        REM Import your backup firewall rules
        IF EXIST "%FIREWALL_FLIP_BACKUP_FOLDER%\PRE_VPN_FIREWALL_RULES_BACK.wfw" netsh advfirewall import "%FIREWALL_FLIP_BACKUP_FOLDER%\PRE_VPN_FIREWALL_RULES_BACK.wfw" >NUL 2>NUL
        REM Re-enable program firewall access request notifications
        netsh advfirewall set allprofiles settings inboundusernotification enable >NUL 2>NUL
        REM Register with the network properly
        ipconfig /registerdns >NUL 2>NUL
        netsh winsock reset >NUL 2>NUL
        ipconfig /renew >NUL 2>NUL
        REM Enable ALL traffic firewall rules
        netsh advfirewall set allprofiles firewallpolicy BlockInbound,AllowOutbound >NUL 2>NUL
        CLS
        ECHO -------------------------------------------
        ECHO Your computer should now allow "ALL" traffic
        ECHO -------------------------------------------
        GOTO :VERIFICATION
    )
    ECHO.
    ECHO This script has made no modifications to the system.
    ECHO Press any key to exit...
    PAUSE >NUL 2>NUL
    GOTO :EOF
:ALL_TO_VPN
    ECHO.
    ECHO --------------------------------------------------
    ECHO ^|The firewall currently allows "ALL" traffic^|
    ECHO --------------------------------------------------
    ECHO.
    ECHO Do you wish to allow "ONLY VPN" traffic?
    CHOICE
    IF !ERRORLEVEL! EQU 1 (
        CLS
        ECHO -----------------------------------------------------
        ECHO Configuring your computer to allow "ONLY VPN" traffic
        ECHO -----------------------------------------------------
        ECHO.
        REM Creating VPN_SERVER_IP
        SET /P 1=Generating list of VPN server IP's... <NUL
        FOR /F "tokens=*" %%a IN ('DIR /b "%OpenVPN%\config\*.ovpn"') DO (
            FOR /F "tokens=1-3 delims= " %%b IN ('findstr "remote " "%OpenVPN%\config\%%a" ^| findstr \.') DO (
                IF DEFINED VPN_SERVER_IP (
                    IF %%c NEQ !lastip! SET VPN_SERVER_IP=!VPN_SERVER_IP!,%%c
                ) ELSE (
                    SET VPN_SERVER_IP=%%c
                )
                SET lastip=%%c
            )
        )
        ECHO Done
        REM Backup all firewall rules
        SET /P 1=Backing up current firewall rules... <NUL
        netsh advfirewall export "%FIREWALL_FLIP_BACKUP_FOLDER%\PRE_VPN_FIREWALL_RULES_BACK.wfw" >NUL 2>NUL
        IF NOT EXIST "%FIREWALL_FLIP_BACKUP_FOLDER%\PRE_VPN_FIREWALL_RULES_BACK.wfw" (
            ECHO ERROR
            ECHO.
            ECHO This script has made no modifications to the system.
            ECHO Press any key to exit...
            PAUSE >NUL 2>NUL
            GOTO :EOF
        )
        ECHO Done
        REM Enable VPN traffic firewall rules
        SET /P 1=Configuring new firewall rules... <NUL
        netsh advfirewall set allprofiles firewallpolicy BlockInbound,BlockOutbound >NUL 2>NUL
        REM Delete all current firewall rules (filtering method used to retain file/network sharing functionality)
        netsh advfirewall firewall delete rule name=all >NUL 2>NUL
        REM FOR /F "tokens=2 delims=:" %%a IN ('netsh advfirewall firewall show rule name^=all ^| findstr /C:"Rule Name:" ^| findstr /v "@"') DO (
            REM REM Trim all extra spaces
            REM FOR /F "tokens=* delims= " %%b IN ("%%a") DO SET "RULE_NAME=%%b"
            REM REM Filter out all firewall rules that aren't the microsoft local subnet ones
            REM FOR /F "tokens=* delims= " %%b IN ('@ECHO !RULE_NAME! ^| findstr /v /b /L "File and Printer Sharing" ^| findstr /v /b /L "Network Discovery"') DO netsh advfirewall firewall delete rule name="!RULE_NAME!" >NUL 2>NUL
        REM )
        REM Create VPN only rules
        netsh advfirewall firewall add rule name="VPN_LOCALNETWORK_INBOUND" dir=in action=allow remoteip=LocalSubnet >NUL 2>NUL
        netsh advfirewall firewall add rule name="VPN_LOCALNETWORK_OUTBOUND" dir=out action=allow remoteip=LocalSubnet >NUL 2>NUL
        netsh advfirewall firewall add rule name="VPN_RESOLUTION_OUTBOUND" dir=out action=allow remoteip=!VPN_SERVER_IP! >NUL 2>NUL
        netsh advfirewall firewall add rule name="VPN_DHCP" dir=out action=allow program="%%SystemRoot%%\system32\svchost.exe" localip=0.0.0.0 localport=68 remoteip=255.255.255.255 remoteport=67 protocol=UDP >NUL 2>NUL
        REM Disable program requesting firewall access notifications (just in case you aren't connected to the VPN and you are asked by something and accidentally allow it)
        netsh advfirewall set allprofiles settings inboundusernotification disable >NUL 2>NUL
        ECHO Done
        REM Identify all NIC's and set their DNS to the secure VPN DNS
        ECHO.
        ECHO.
        ECHO Sanitizing and configuring your network adaptors
        ECHO ------------------------------------------------
        ECHO.
        FOR /F "tokens=2 delims=, skip=2" %%a IN ('"wmic nic where PhysicalAdapter=TRUE get netconnectionid /format:csv"') DO (
            ECHO "%%a" | findstr OpenVPN || (
				SET "adapter=%%a"
				SET dnsprimary=!YOUR_PUBLIC_PRIMARY_DNS!
				SET dnssecondary=!YOUR_PUBLIC_SECONDARY_DNS!
				CALL :ADAPTER_CONFIG
			)
        )
        REM Register with the network properly
        ipconfig /registerdns >NUL 2>NUL
        netsh winsock reset >NUL 2>NUL
        ipconfig /renew >NUL 2>NUL
        CLS
        ECHO ------------------------------------------------
        ECHO Your computer should now allow "ONLY VPN" traffic
        ECHO ------------------------------------------------
        GOTO :VERIFICATION
    )
    ECHO.
    ECHO This script has made no modifications to the system.
    ECHO Press any key to exit...
    PAUSE >NUL 2>NUL
    GOTO :EOF
:VERIFICATION
    ECHO.
    ECHO.
    ECHO VERIFICATION STEPS
    ECHO ------------------
    REM Automatic firewall verification
    FOR /F "tokens=2 delims=," %%a IN ('netsh advfirewall show allprofiles firewallpolicy') DO IF "%%a" EQU "%state%" (
        ECHO Your firewall state did not successfully switch over, do you want to run this script again?
        CHOICE
        IF !ERRORLEVEL! EQU 1 (
            GOTO :CURRENT_STATE
        ) ELSE (
            GOTO :EOF
        )
    )
    ECHO Firewall - passed automatic verification
    REM Automatic DNS verification
    netsh interface ipv4 show dns | findstr \. | findstr !dnsprimary! >NUL 2>NUL || GOTO :VERIFICATION_FAILURE
    IF DEFINED dnssecondary netsh interface ipv4 show dns | findstr \. | findstr !dnssecondary! >NUL 2>NUL || GOTO :VERIFICATION_FAILURE
    ECHO DNS - passed automatic verification
    ECHO ------------------
    ECHO.
    IF !dnsprimary! EQU !YOUR_VPN_PRIMARY_DNS! (
        SET ovpnlog=!YOUR_PREFERRED_OVPN:ovpn=log!
        taskkill /f /im openvpn* >NUL 2>NUL
        DEL /F /Q "%OpenVPN%\log\!ovpnlog!" >NUL 2>NUL
        ECHO.
        SET /P 1=Connecting to your VPN and waiting for IP to be assigned: <NUL
        START "" "%OpenVPN%\bin\openvpn-gui.exe" --connect !YOUR_PREFERRED_OVPN! >NUL 2>NUL
        :VPN_IP_LOOP
        findstr "CONNECTED,SUCCESS" "%OpenVPN%\log\!ovpnlog!" >NUL 2>NUL || GOTO :VPN_IP_LOOP
        FOR /F "tokens=4 delims=," %%a IN ('findstr "CONNECTED,SUCCESS" "%OpenVPN%\log\!ovpnlog!"') DO (
            SET VPN_ASSIGNED_IP=%%a
        )
        ECHO !VPN_ASSIGNED_IP!
        ECHO.
        SET /P 1=Granting your assigned VPN IP access to the internet... <NUL
        FOR /F "tokens=2-4 delims=,." %%a IN ('wmic nicconfig get DHCPServer^,SettingID /format:csv ^| findstr "!VPN_ADAPTER_GUID!"') DO (
            SET VPN_IP_POOL_RANGE=%%a.%%b.0.0-%%a.%%b.255.254
        )
        netsh advfirewall firewall add rule name="VPN_INTERNET_OUTBOUND" dir=out action=allow localip=!VPN_IP_POOL_RANGE! >NUL 2>NUL
        ECHO Done
        ECHO.
        ECHO.
        ECHO -------------------------------------------------------------------
        ECHO ^|Visit www.ipleak.net to verify that you are connected to your VPN^|
        ECHO -------------------------------------------------------------------
        ECHO.
        PAUSE
        GOTO :EOF
    ) ELSE (
        PAUSE
    )
    GOTO :EOF
:VERIFICATION_FAILURE
    ECHO There was an error setting your DNS, press any key to see your current DNS servers...
    PAUSE >NUL 2>NUL
    netsh interface ipv4 show dns
    ECHO ------------------------------------------------------------
    ECHO The DNS listed should be: !dnsprimary! -OR- !dnssecondary!
    ECHO ------------------------------------------------------------
    ECHO.
    ECHO IF THE DNS SERVERS DO NOT MATCH WHAT THEY SHOULD BE, CHANGE THEM MANUALLY
    ECHO                          IF YOU DON'T DO THIS:
    ECHO                          ---------------------
    ECHO                 YOUR VPN CONNECTION WILL NOT BE SECURE
    ECHO                                 -AND/OR-
    ECHO                YOUR REGULAR INTERNET MODE WILL NOT WORK
    ECHO.
    PAUSE
    GOTO :EOF
:ADAPTER_CONFIG
    REM This section resets and configures your network adapters as necessary
    SET /P 1=%adapter%... <NUL
    ipconfig /release >NUL 2>NUL
    ipconfig /flushdns >NUL 2>NUL
    netsh interface ipv4 set dns "%adapter%" static %dnsprimary% primary validate=no >NUL 2>NUL
    IF DEFINED dnssecondary netsh interface ipv4 add dns "%adapter%" !dnssecondary! index=2 validate=no >NUL 2>NUL
    ECHO Done

STEP 4

Now you just double click the .bat file whenever you want to switch between VPN secure or normal internet mode.

If double-clicking doesn't start the script you can right click it and select 'open'.

 

SPECIAL NOTES

 

-This script creates a backup of your original .ovpn files under the folder FIREWALL_FLIP_BACKUP in your OpenVPN Installation directory. This script resolves the IP's of the hostnames in the VPN files so if you feel there is something wrong with this script you can still just go back to your originals.

 

-The changes made by this script are permanent, until you run it again. This means that reboots or any sort of system hiccup will not affect it.

 

WARNING

If you start fiddling with your network adapters or windows firewall yourself you will most likely compromise what this script has set out to do. Only do so if you know what you're doing.

[Omniferum 9]

If a moderator thinks this is good enough it would be nice to see it in the HOW-TO section of the forum.

[Staff 9968]

If a moderator thinks this is good enough it would be nice to see it in the HOW-TO section of the forum.

 

Hello,

 

thank you for your efforts and thank you for sharing!

 

It looks good and very comfortable, some of us will test it and after that if it's all right we'll move it to the how-to.

 

Some specifications for the readers: in order to work properly, the script needs the Configuration Generator set to "Resolved hosts" (*) so that in the .ovpn files "remote" line(s) there will always be an IP address, not a name (would the Windows firewall work properly with domain names instead of IP addresses?). It's important to specify because the majority of Windows users run the Air client, so they probably have never used the Configuration Generator.

 

(*) anyway "Resolved hosts" is forced if the Configuration Generator is set in Windows mode - problems may arise only if a Windows user runs the Configuration Generator in some other OS mode.

 

EDIT: alternatively we might provide something like "fake.ovpn", a simple text file with all entry IP addresses preceded by the "remote" keyword (if the script scans all the "remote" lines, i.e. if it does not stop at the first found "remote" line).

 

Kind regards

[Omniferum 9]

The Windows Firewall only gives IP as an option.

 

However with a simple tweak to the batch I can just make it ping domain names, get the resolved IP address and use that to populate the vpnip variable instead. Assuming your server names stay constant, I know that some get taken down/replaced.

 

I only did this in batch as I know 'every' windows platform used today supports it. If I knew people were using Windows 7 minimum I would've just done it in powershell.

[siddin 0]

This is awesome and does exactly what I've been looking for. Without the vpn connection I can't connect to the internet using any programs, however once the vpn is established I can use the internet without a problem.

 

The only thing with the first batch file is that i've had to go through and adjust the Remote IP to my vpn ip even those I do use openvpn. Not sure if it matters as it still does what I was after even without that.

[Guest Chaf]

Isn't there a missing rule for the firewall blocking UDP port 53 for DNS leaks ?

[Omniferum 9]

This is awesome and does exactly what I've been looking for. Without the vpn connection I can't connect to the internet using any programs, however once the vpn is established I can use the internet without a problem.

 

The only thing with the first batch file is that i've had to go through and adjust the Remote IP to my vpn ip even those I do use openvpn. Not sure if it matters as it still does what I was after even without that.

 

The remoteip variable is really only populated if you have the .ovpn files in the same directory. Manually adding them in  with commas like:

123.123.0.123,123.51.123.16,123.2.13.1

will make it work fine

 

 

Isn't there a missing rule for the firewall blocking UDP port 53 for DNS leaks ?

 

There is no real way that DNS leaks could occur.

 

The firewall rules above prevents your adapters from communicating with the internet in any fashion except with the OpenVPN server's (to establish a connection with them)

Even then your local adapters DNS's are set to your VPN adapters, so it is routed through them.

 

DNS leaks are more for when your DNS is set to static and gets confused because your adapter has access to BOTH the AirVPN and your regular ISP's dns servers. The rules above limit that to only one, your OpenVPN providers.

[andromeda 1]

Hi Omniferum,

 

Could you make a little "VPN flipper" for people who use Comodo Personal Firewall instead of Windows Firewall?

 

And while you are at it, could you make one for those who use Linux?

 

I have also made a little 'VPN flipper', so you can switch your firewall to operate normally or in VPN secure mode (DNS and all that). For this to work you need to go to your network connections and right click the TAP-Windows Adapter v9, select 'Rename' and give it the name VPN.

[Denis777 0]

So after i change txt name to bat. what should i do with that file where do i paste it? and where can i find .ovpn file ? please help

 

Edit: I think i figured out what to do with .bat files now i am having another issue when i use vpn flipper to allow connection only thru vpn ... 

i lose connection thru vpn as well when i flip allow all traffic everything works again what could be the problem ?

[Omniferum 9]

So after i change txt name to bat. what should i do with that file where do i paste it? and where can i find .ovpn file ? please help

 

Edit: I think i figured out what to do with .bat files now i am having another issue when i use vpn flipper to allow connection only thru vpn ... 

i lose connection thru vpn as well when i flip allow all traffic everything works again what could be the problem ?

 

You need to make a directory that has all your .ovpn files (which you can get through the AirVPN "client area" -> "config generator" page) and put the batch file in there. Then just run the batch file, it will add all the required rules.

 

 

 

Hi Omniferum,

 

Could you make a little "VPN flipper" for people who use Comodo Personal Firewall instead of Windows Firewall?

 

And while you are at it, could you make one for those who use Linux?

 

I have also made a little 'VPN flipper', so you can switch your firewall to operate normally or in VPN secure mode (DNS and all that). For this to work you need to go to your network connections and right click the TAP-Windows Adapter v9, select 'Rename' and give it the name VPN.

 

 

As for making it work for Comodo I don't run it (nor do I really want to) so I don't know what command line options it has. Essentially all the VPN flipper does is toggle between block/allow outbound traffic and change some Network Adapter DNS settings to prevent DNS leaks. So all someone would have to do is find the Comodo command line option to toggle the 'VPN zones'. If memory serves me correctly Comodo uses the term 'zones'.

 

Those who use Linux could easily find some bash script to do the same job, I would be surprised if nobody has done it. However Linux doesn't really suffer from DNS leaks normally and I do know there are some scripts that do the same 'toggle VPN only' already. I believe there is one on this forum somewhere.

[Omniferum 9]

Just a nudge in the hopes that the moderators see the updated script and update the How-To section with it

[AirSpider 1]

Hi Guys,

 

What info do I need to add to this section:

 

 

set apikey=<fillmeinwithyourinformation!>
::Valid options are: disconnect,userinfo
set apiservice=<fillmeinwithyourselection!>

 

Thanks!

[HocusPocus 1]

Hi Omniferum,

 

Thank you for your fix for Windows 7.  

 

I'm new to using a VPN service.  I've installed OpenVPN using the client and not the Config Generator Page!  Where would I place the .bat files for both the Firewall rule and the Flipper Switch?   

 

You need to make a directory that has all your .ovpn files (which you can get through the AirVPN "client area" -> "config generator" page) and put the batch file in there. Then just run the batch file, it will add all the required rules.

 

With thanks,

[Omniferum 9]

Hi Omniferum,

 

Thank you for your fix for Windows 7.  

 

I'm new to using a VPN service.  I've installed OpenVPN using the client and not the Config Generator Page!  Where would I place the .bat files for both the Firewall rule and the Flipper Switch?   

 

You need to make a directory that has all your .ovpn files (which you can get through the AirVPN "client area" -> "config generator" page) and put the batch file in there. Then just run the batch file, it will add all the required rules.

 

With thanks,

 

As per instructing in the main post.

The .ovpn files need to be generated in the Config Generator section of your AirVPN Client Area (this is an area on his website, not a program) with the following boxes checked:

Advanced Mode (This has to be selected first so the next two can be visible)

Resolved hosts in .ovpn file

All servers for area region

 

Hi Guys,

 

What info do I need to add to this section:

 

 

set apikey=<fillmeinwithyourinformation!>

::Valid options are: disconnect,userinfo

set apiservice=<fillmeinwithyourselection!>

 

Thanks!

 

Technically you do not HAVE to fill those things in. It is just more to force a disconnect because my OpenVPN doesn't always smoothly disconnect. However again you can just go to Client Area -> Settings and you can get the API key from there to put into the set apikey= part.

 

The apiservice already has the two possible options above, disconnect is the one you want. userinfo is just there for debug shit at times for me in other scripts.

[HocusPocus 1]

Hello Omniferum,

 

Thanks so much for your additional explanation.

 

 

Advanced Mode (This has to be selected first so the next two can be visible)

Resolved hosts in .ovpn file

All servers for area region

 

Add this information above (see example below).   What modes do I select in order generate?

 

Still a little confused about the directory that you mentioned below. 

'

You need to make a directory that has all your .ovpn files (which you can get through the AirVPN "client area" -> "config generator" page) and put the batch file in there. Then just run the batch file, it will add all the required rules.

 

Thanks,

[Omniferum 9]

The batch files and .ovpn files need to be in the same directory. As in they have to be able to see them all in the same place, like if you opened up C:\Openvpn in your windows explorer you would need to see all the ovpn and batch files there. Then run the batch file.

 

In your screenshot you need to check the All servers for area region

 

If you want port recommendations I would just say UDP & TCP, Ports 80 and 443

[HocusPocus 1]

Hi Omniferum,

 

Thanks so much for your patience and help.

 

I've checked off the top four boxes for Direct Protocol UDP 443 and TCP 443; and, Direct Protocol UPD 80 and TCP 80.  Yes, I forgot to add 'all servers in area region'.   Done!

 

Many many thanks for your help,

[Zhriver 1]

I'm struggling to get this to work. I've read through the thread multiple times and still can't get it working. Still able to access the web without the vpn active.

 

I've created the 2 bat files.

I've put them in a folder with the files .ovpn I crossed off the Resolved hosts in .ovpn file, All servers for area region

 

I've run the bat to create the rules for the firewall. The rules show up in the firewall.

 

Renamed the tap connection to VPN.

 

Tried running the flipper to see if that made a difference, it doesn't

[HocusPocus 1]

Hi Zhriver,

 

Review all of the steps as follows (with thanks to Omniferum and Staff):

 

1.  Copy Omniferum's two .bats files (see above).  Also, rename the TAP-Windows Adapter v9.

 

NOTE:  I have also made a little 'VPN flipper' (EDIT: NEW, IMPROVED 'flipper' 31-Aug-13), so you can switch your firewall to operate normally or in VPN secure mode (DNS and all that). For this to work you need to go to your network connections and right click the TAP-Windows Adapter v9, select 'Rename' and give it the name VPN.

 

2.  Create and add an API key field as per staff:

 

The VPN flipper is a script file as well, so you can name it for example "vpnflipper.bat". It will need that you use our API (see the FAQ for more information). Its purpose is to toggle the firewall configuration to "VPN anti-leak mode" and "normal mode".

 

Log in the web site with your account and click "Client Area". Select "Settings" from the left tabs. In the "API Key" field, click to open the menu and select "Enable and generate new key". Click "Save Settings".

 

Now the page will reload and in the API Key field your key will appear (a long string with letters and digits). Select it with the mouse and copy it.

 

In your VPN flipper script, find the line:

 set apikey=<fillmeinwithyourinformation!>

 delete <fillmewithyourinformation!> and past at its place the API key, just after the '=' symbol.

 Then, find the line:

 set apiservice=<fillmeinwithyourselection!>

 and replace <fillmewithyourselection!> with:

 disconnect

 just after the '=' symbol.

 All of the above is optional, the script will work even without setting apikey and apiservice.

Create an .ovpn files in the Config Generator section of your AirVPN Client Area

 

Choose:  Your type of Operating System
2.  Selection of servers
3.  Advanced Mode - Tick off the following

- Resolved hosts in .ovpn file
-All servers for area region
- If you want port recommendations I would just say UDP & TCP, Ports 80 and 443

Generate

 

Add these .ovpn generated files with the two .bats files in OpenVPN > config

Run the .bat files

[Omniferum 9]

I should perhaps point out to everyone that renaming the network adapter isn't actually necessary anymore. I just didn't want to research at the time if fiddling with the DNS on adapters other than your man link would do something funny.

 

The scripts as they stand now do not require you to rename any network adapter as it will lock down the DNS' on ALL your adapters for secure usage. So even if before you didn't do that step, doesn't make a difference.

 

 

I'm struggling to get this to work. I've read through the thread multiple times and still can't get it working. Still able to access the web without the vpn active.

 

I've created the 2 bat files.

I've put them in a folder with the files .ovpn I crossed off the Resolved hosts in .ovpn file, All servers for area region

 

I've run the bat to create the rules for the firewall. The rules show up in the firewall.

 

Renamed the tap connection to VPN.

 

Tried running the flipper to see if that made a difference, it doesn't

 

For reference sake there is the possibility that the copy/paste isn't going correctly for you. Your browser might be wrapping text so what you copy/paste isn't the EXACT code as posted in my post. That is somewhat the only thing I can think of. What OS are you running? Windows 7 basic might not be able to do stuff like this. Just throwing ideas out.

[HocusPocus 1]

Hi Omniferum,

 

I've installed everything as per above.  Word wrap is not on and I'm running Windows 7 Home Premium.  I have assigned a specific port for utorrent (Client Area) and I'm connected to the AirVPN. 

 

Received when utorrent is running:

 

DANGER! Reachable on real IP over the external port 61014, tcp protocol.

 

Not connected to utorrent:
 

Not reachable on server IP over the external port 30823, tcp protocol. Error : 110 - Connection timed out

 

.bat files in text format for Flipper Switch.   When replacing the set apikey=<fillmeinwithyourinformation!> does the ! mark stay?

 

 

 

@ECHO OFF
SETLOCAL ENABLEDELAYEDEXPANSION
SETLOCAL ENABLEEXTENSIONS
 
::The powershell commands in this script are Powershell 2.0, which is what Windows 7 comes installed with by default. They will work for Windows 8 as well.
 
set vpndnsprimary=10.4.0.1
set vpndnssecondary=10.5.0.1
 
::Put the filename of your OVPN file here. The filename can have spaces
set yourpreferredovpn=<fillmeinwithyourinformation!>
 
set apikey=<fillmeinwithyourinformation!>
::Valid options are: disconnect,userinfo
set apiservice=<fillmeinwithyourselection!>
 
::Check what state the firewall is in (VPN ONLY or ALLOW ALL)
for /f "tokens=3,4" %%a in ('netsh advfirewall show allprofiles firewallpolicy ^| findstr ^,') do set state=%%a
if "%state%" EQU "BlockInbound,BlockOutbound" goto :VPN
if "%state%" EQU "BlockInbound,AllowOutbound" goto :ALL
 
:VPN
CHOICE /m "The firewall currently allows ONLY VPN traffic, do you wish to allow ALL traffic?"
if %errorlevel% EQU 1 (
::This powershell command allows you to send an API request
Powershell.exe -NoProfile -Command ^(New-Object System.Net.WebClient^).DownloadString^('https://airvpn.org/api/?key^=!apikey!^&service^=!apiservice!^&format^=text'^)
taskkill /f /im openvpn*
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
::Identify all NIC's and set their DNS to DHCP
for /f "tokens=*" %%a in ('Powershell.exe -NoProfile -Command "Get-WmiObject Win32_NetworkAdapter | %%{$_.NetConnectionID}"') do (
ipconfig /flushdns>NUL 2>NUL
netsh interface ip set dns "%%a" dhcp>NUL 2>NUL
ipconfig /flushdns>NUL 2>NUL
)
)
goto :EOF
 
:ALL
CHOICE /m "The firewall currently allows ALL traffic, do you wish to allow ONLY VPN traffic?"
if %errorlevel% EQU 1 (
netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
::Identify all NIC's and set their DNS to the secure VPN DNS
for /f "tokens=*" %%a in ('Powershell.exe -NoProfile -Command "Get-WmiObject Win32_NetworkAdapter | %%{$_.NetConnectionID}"') do (
ipconfig /flushdns>NUL 2>NUL
netsh interface ip set dns "%%a" static %vpndnsprimary% primary no>NUL 2>NUL
ipconfig /flushdns>NUL 2>NUL
netsh interface ip add dns "%%a" %vpndnssecondary% index=2 no>NUL 2>NUL
ipconfig /flushdns>NUL 2>NUL
)
start "" "C:\Program Files (x86)\OpenVPN\bin\openvpn-gui.exe" --connect "!yourpreferredovpn!">NUL 2>NUL
)

 

 

Any suggestions, hp

[Omniferum 9]

Just a bump so everyone who has had any issues with this prior can try the new scripts to aid in troubleshooting.

[tunica 0]

My bat file keeps erroring out that it can't find the ovpn files but they are there in the same folder as the bat file.  Thoughts anyone?

  

Directory of C:\1airvpn

 

09/21/2013  01:21 PM    <DIR>          .

09/21/2013  01:21 PM    <DIR>          ..

09/21/2013  01:12 PM            41,607 AirVPN.zip

09/21/2013  08:12 PM             9,231 AirVPN_America_TCP-443.ovpn

09/21/2013  08:12 PM             9,219 AirVPN_America_TCP-80.ovpn

09/21/2013  08:12 PM             9,255 AirVPN_America_UDP-443.ovpn

09/21/2013  08:12 PM             9,243 AirVPN_America_UDP-80.ovpn

09/21/2013  08:12 PM             9,646 AirVPN_Europe_TCP-443.ovpn

09/21/2013  08:12 PM             9,618 AirVPN_Europe_TCP-80.ovpn

09/21/2013  08:12 PM             9,670 AirVPN_Europe_UDP-443.ovpn

09/21/2013  08:12 PM             9,642 AirVPN_Europe_UDP-80.ovpn

09/21/2013  12:44 PM             2,574 create firewall rules.bat

09/21/2013  01:21 PM                 0 vpn.txt

09/21/2013  12:40 PM             2,364 vpnflipper.bat

09/02/2013  06:00 PM         9,183,854 vpn_firewall.pdf

              13 File(s)      9,305,923 bytes

               2 Dir(s)  60,800,172,032 bytes free

[Omniferum 9]

I assume the 'IF EXIST *.ovpn' part is buggering up for you. Works fine on my computer though.

 

If you just delete:

IF NOT EXIST *.ovpn (
ECHO ******************************************************************
ECHO This script cannot continue because it could not find the .ovpn
ECHO files required in the same directory as this script.
ECHO.
ECHO For reference the directory that this script is in is:
ECHO "%~dp0"
ECHO ******************************************************************
PAUSE
GOTO :EOF
)

 

out of the batch file it should continue normally

[tunica 0]

I commented out those lines and then the bat file errored out not finding IP address in my ovpn files.  They are there I looked in notepad.  Anyway, I think I see what the bat file is trying to accomplish which is entering the airvpn ip addresses as allowed remote ip addresses in outbound connections while also allowing outbound localip and local subnet addresses.  I have entered some of the airvpn ips to test manually and that works ok.  I don't see any rules for inbound connections in the bat file and this is where I get hung up when using my bittorrent client.  Airvpn's port forwarding fails the test for the ports I have setup.  My guess is that I need to setup inbound rules similar to the outbound ones but am not sure what inbound IP addresses I should be allowing.  Same as those in the ovpn files or ?  Right now I have a rule that allows 10.4.0.0-10.9.255.255 and the port forwarding test works EXCEPT that when the vpn connection drops (for whatever reason), my bittorrent client continues to function (although it seem to be at lower speeds). My goal is that this shouldn't function at all if there is no vpn connection.  I use utorrent, should I be using the net.bind.ip or something similar?  I will try testing some of these things on my own but haven't had a chance to so far.  Thanks for the help.