Author Topic: Configuring to Block All Non-VPN Traffic  (Read 24138 times)

Offline stevefoobar

  • Newbie
  • *
  • Posts: 12
Configuring to Block All Non-VPN Traffic
« on: February 04, 2013, 02:34:46 AM »
I have read on torrent and VPN forums that there is a way to easily configure Comodo firewall to only allow VPN traffic or conversely, to block all non-VPN traffic.  This is very important since VPN connections ride "on top of" the normal Ethernet protocol and if they drop suddenly, the internet connection is still there and will now expose one's IP address previously hidden while using the VPN service.

I'm completely new to Comodo.  Are these posts correct and would someone please give me some quick pointers so that I can research this further?

Thanks!

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Re: Configuring to Block All Non-VPN Traffic
« Reply #1 on: February 04, 2013, 03:05:53 AM »
I was interested in blocking all non VPN connections using the FW
I have temporarily given up on the idea as I could find no simple way  ???
I have however blocked non VPN access on a per application level ie, Browser, Utorrent, Cloud storage etc
This guide was written for version 5xxx but still works well for the current version
http://www.bolehvpn.net/forum/index.php?topic=5798.0
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Configuring to Block All Non-VPN Traffic
« Reply #2 on: February 04, 2013, 03:10:14 AM »
In addition to the guide posted by treefrogs, here's another - Prevent leaks with Windows & Comodo
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline stevefoobar

  • Newbie
  • *
  • Posts: 12
Re: Configuring to Block All Non-VPN Traffic
« Reply #3 on: February 05, 2013, 04:04:19 PM »
Thanks guys.  I'll try some of these.

I was also reading about a possible way to do this without using any firewall.  It does require making changes to the Windows routing table however and using command-line commands (netstat, ipconfig, etc.) to do so and many people won't be comfortable with that.  I started reading about it but can't find good online documentation that goes into enough detail about the routing tables to feel comfortable making changes to them yet.  This is probably the most secure way to make sure you won't be able to connect without a VPN because if there isn't a route in the routing table from your network interface to your router, it's impossible to connect!

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Configuring to Block All Non-VPN Traffic
« Reply #4 on: February 05, 2013, 05:09:21 PM »
If you're intending to route all Internet traffic over the VPN, the changes to the routing table are quite minimal. It basically consists or removing the default route 0.0.0.0 and replacing it with he VPN route.It's only if you want to do different things for different NICs that it gets 'interesting'.

Another consideration, if you have a router that supports it - or perhaps you can use dd-wrt or tomato firmware - you can create the VPN endpoint on the router.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline stevefoobar

  • Newbie
  • *
  • Posts: 12
Re: Configuring to Block All Non-VPN Traffic
« Reply #5 on: February 05, 2013, 06:59:56 PM »
If you're intending to route all Internet traffic over the VPN, the changes to the routing table are quite minimal. It basically consists or removing the default route 0.0.0.0 and replacing it with he VPN route.It's only if you want to do different things for different NICs that it gets 'interesting'.

Another consideration, if you have a router that supports it - or perhaps you can use dd-wrt or tomato firmware - you can create the VPN endpoint on the router.

I was hoping it was that simple but I tried to delete the entry and Windows XP Pro SP3 would not let me.  Then I saw on some forum that Windows won't let you delete entries it created, only those you manually create so I gave up at that point meaning to get back to it when I have time to do more research.

If I could simply modify (add/delete) entries in the Windows routing table as I use and stop using VPN on the particular PC in question, I would be perfectly happy with that if I can figure out how to do it.  So in other words, when I want to use VPN, make whatever changes necessary to only route over VPN, then when I stop using VPN, change the table back to a "normal" state.

As for the router, I don't have the luxury of using my router at this point because it's running the native Linksys firmware and I don't have the time to start experimenting with DD-WRT, Tomato, or some of the other firmware mods to turn it into a VPN router, as much as I would love to do that.  Right now I have to be satisfied with a VPN client app running on each PC, which right now is just one PC anyway.

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Configuring to Block All Non-VPN Traffic
« Reply #6 on: February 05, 2013, 08:04:40 PM »
You should be able to change the routing table using an elevated command prompt, just use the RunAs option and select the Administrator account and password. (Or use the Admin account...)
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline dbrisendine

  • Comodo Family Member
  • ***
  • Posts: 88
Re: Configuring to Block All Non-VPN Traffic
« Reply #7 on: February 05, 2013, 08:40:38 PM »
SecurityKISS VPN makes this simple; you just enter into "Exclusive Tunneling" once the VPN connects and the software blocks the other connections (other than the VPN).  ALL traffic then goes through the VPN and if it drops the VPN connection then there is no connection / traffic (until the user turns "Exclusive Tunneling" off).


(Just a suggestion to make things simple; not pushing anyone's software [but COMODO's , of course])
Win7 Ult x86, SP1 / CIS6 / Brain2.0

Offline stevefoobar

  • Newbie
  • *
  • Posts: 12
Re: Configuring to Block All Non-VPN Traffic
« Reply #8 on: February 06, 2013, 02:07:03 AM »
SecurityKISS VPN makes this simple; you just enter into "Exclusive Tunneling" once the VPN connects and the software blocks the other connections (other than the VPN).  ALL traffic then goes through the VPN and if it drops the VPN connection then there is no connection / traffic (until the user turns "Exclusive Tunneling" off).


(Just a suggestion to make things simple; not pushing anyone's software [but COMODO's , of course])

Interesting.  Maybe I'll try SecurityKISS VPN next month.  I'm using Privacy Internet Access VPN right now and they have a VPN Kill Switch checkbox but I'm not at all confident they've implemented it correctly so I don't trust it.  I already had the VPN connection drop and it looked like the connection was still enabled so I quickly unplugged the network cable.  That works every time.   ;D

Offline stevefoobar

  • Newbie
  • *
  • Posts: 12
Re: Configuring to Block All Non-VPN Traffic
« Reply #9 on: February 06, 2013, 02:33:53 AM »
You should be able to change the routing table using an elevated command prompt, just use the RunAs option and select the Administrator account and password. (Or use the Admin account...)

I've never heard of an "elevated command prompt" but if you mean run as an admin, I was logged in as an admin in Windows XP when I tried to delete the first line in the table and it gave me an error message (can't recall exactly what it said right now).  This is the line I believe I'm supposed to delete:

Destination      Netmask        Gateway         Interface              Metric
0.0.0.0           0.0.0.0          192.168.1.1    192.168.1.103      20

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Re: Configuring to Block All Non-VPN Traffic
« Reply #10 on: February 06, 2013, 03:02:49 AM »
It would be good been able to achieve this by modifying the routing tables
I for one would be interested in doing this... if I knew how
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Configuring to Block All Non-VPN Traffic
« Reply #11 on: February 06, 2013, 03:05:54 AM »
Perhaps it's the command you're using... See image (Normal user using RunAs Administrator)

The command to delete - in my example:

route delete 0.0.0.0 192.168.1.1

To add you VPN route :

route add <VPN IP> mask <net mask> <gateway IP> metric 1

route add 83.170.76.128 mask 255.255.255.255 192.168.1.1 metric 1

 

[attachment deleted by admin]
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4214
  • Lurking
Re: Configuring to Block All Non-VPN Traffic
« Reply #12 on: February 06, 2013, 05:07:37 AM »
I'm using VPNCheck Pro myself, but I don't know if it fills your needs.
I support privacy and freedom online - eff.org

Offline stevefoobar

  • Newbie
  • *
  • Posts: 12
Re: Configuring to Block All Non-VPN Traffic
« Reply #13 on: February 07, 2013, 02:54:43 AM »
Perhaps it's the command you're using... See image (Normal user using RunAs Administrator)

The command to delete - in my example:

route delete 0.0.0.0 192.168.1.1

To add you VPN route :

route add <VPN IP> mask <net mask> <gateway IP> metric 1

route add 83.170.76.128 mask 255.255.255.255 192.168.1.1 metric 1


I've got this figured out and working finally.  Radaghast was pretty much right on the money but I've got lots more details.  I'll post tomorrow...too tired right now at almost 2:00 AM in Chicago.

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Re: Configuring to Block All Non-VPN Traffic
« Reply #14 on: February 07, 2013, 03:04:19 AM »
I've got this figured out and working finally.  Radaghast was pretty much right on the money but I've got lots more details.  I'll post tomorrow...too tired right now at almost 2:00 AM in Chicago.

Thanks  :-TU
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek