Configuring to Block All Non-VPN Traffic

I have read on torrent and VPN forums that there is a way to easily configure Comodo firewall to only allow VPN traffic or conversely, to block all non-VPN traffic. This is very important since VPN connections ride “on top of” the normal Ethernet protocol and if they drop suddenly, the internet connection is still there and will now expose one’s IP address previously hidden while using the VPN service.

I’m completely new to Comodo. Are these posts correct and would someone please give me some quick pointers so that I can research this further?

Thanks!

I was interested in blocking all non VPN connections using the FW
I have temporarily given up on the idea as I could find no simple way ???
I have however blocked non VPN access on a per application level ie, Browser, Utorrent, Cloud storage etc
This guide was written for version 5xxx but still works well for the current version
http://www.bolehvpn.net/forum/index.php?topic=5798.0

In addition to the guide posted by treefrogs, here’s another - Prevent leaks with Windows & Comodo

Thanks guys. I’ll try some of these.

I was also reading about a possible way to do this without using any firewall. It does require making changes to the Windows routing table however and using command-line commands (netstat, ipconfig, etc.) to do so and many people won’t be comfortable with that. I started reading about it but can’t find good online documentation that goes into enough detail about the routing tables to feel comfortable making changes to them yet. This is probably the most secure way to make sure you won’t be able to connect without a VPN because if there isn’t a route in the routing table from your network interface to your router, it’s impossible to connect!

If you’re intending to route all Internet traffic over the VPN, the changes to the routing table are quite minimal. It basically consists or removing the default route 0.0.0.0 and replacing it with he VPN route.It’s only if you want to do different things for different NICs that it gets ‘interesting’.

Another consideration, if you have a router that supports it - or perhaps you can use dd-wrt or tomato firmware - you can create the VPN endpoint on the router.

I was hoping it was that simple but I tried to delete the entry and Windows XP Pro SP3 would not let me. Then I saw on some forum that Windows won’t let you delete entries it created, only those you manually create so I gave up at that point meaning to get back to it when I have time to do more research.

If I could simply modify (add/delete) entries in the Windows routing table as I use and stop using VPN on the particular PC in question, I would be perfectly happy with that if I can figure out how to do it. So in other words, when I want to use VPN, make whatever changes necessary to only route over VPN, then when I stop using VPN, change the table back to a “normal” state.

As for the router, I don’t have the luxury of using my router at this point because it’s running the native Linksys firmware and I don’t have the time to start experimenting with DD-WRT, Tomato, or some of the other firmware mods to turn it into a VPN router, as much as I would love to do that. Right now I have to be satisfied with a VPN client app running on each PC, which right now is just one PC anyway.

You should be able to change the routing table using an elevated command prompt, just use the RunAs option and select the Administrator account and password. (Or use the Admin account…)

SecurityKISS VPN makes this simple; you just enter into “Exclusive Tunneling” once the VPN connects and the software blocks the other connections (other than the VPN). ALL traffic then goes through the VPN and if it drops the VPN connection then there is no connection / traffic (until the user turns “Exclusive Tunneling” off).

(Just a suggestion to make things simple; not pushing anyone’s software [but COMODO’s , of course])

Interesting. Maybe I’ll try SecurityKISS VPN next month. I’m using Privacy Internet Access VPN right now and they have a VPN Kill Switch checkbox but I’m not at all confident they’ve implemented it correctly so I don’t trust it. I already had the VPN connection drop and it looked like the connection was still enabled so I quickly unplugged the network cable. That works every time. ;D

I’ve never heard of an “elevated command prompt” but if you mean run as an admin, I was logged in as an admin in Windows XP when I tried to delete the first line in the table and it gave me an error message (can’t recall exactly what it said right now). This is the line I believe I’m supposed to delete:

Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.103 20

It would be good been able to achieve this by modifying the routing tables
I for one would be interested in doing this… if I knew how

Perhaps it’s the command you’re using… See image (Normal user using RunAs Administrator)

The command to delete - in my example:

route delete 0.0.0.0 192.168.1.1

To add you VPN route :

route add mask metric 1

route add 83.170.76.128 mask 255.255.255.255 192.168.1.1 metric 1

[attachment deleted by admin]

I’m using VPNCheck Pro myself, but I don’t know if it fills your needs.

I’ve got this figured out and working finally. Radaghast was pretty much right on the money but I’ve got lots more details. I’ll post tomorrow…too tired right now at almost 2:00 AM in Chicago.

Thanks :-TU

OK…here goes…

Protect Your IP From Being Disclosed if Your VPN Connection Fails

The following steps will help assure that you do not accidentally expose your real IP address if your VPN connection drops. Normally if this were to happen, your real IP address would be exposed since your normal networking connection is still in place if the VPN connection is lost. There is no firewall or P2P monitor application needed. You only need to make relatively simple changes to your Windows routing table using simple commands. Although this looks like a lot of information, it’s really quite simple. I’m just being very thorough and very detailed. After doing it a few times, it will become second-nature!

Steps

Because I disabled my Wi-Fi adapter, I plugged in a network cable from my laptop to my router. Since I have my laptop set to use DHCP, a local IP and DNS addresses got assigned to the Ethernet adapter in my laptop. In my case, that was 192.168.1.107 because I choose to start my IP addresses at 100, which is just a personal preference. I have my Linksys router’s IP set to 192.168.1.1 which is pretty common. Just substitute your router’s IP address for mine (192.168.1.1) and your computer’s assigned IP address for mine (192.168.1.107) in the examples below.

I then opened a Windows command shell (Start, Run, cmd) and from within it typed route print to view the routing table. The first entry is what is called a “default route” to which all traffic that does not otherwise have a specific destination routes to. You can see my laptop’s IP address (Interface) and my router’s IP address (Gateway) in the entry which looks like this:

Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.107 20

You don’t need to understand what the Netmask is or how to use network masks in general or what the Metric is, although you can certainly research these if you like.

Now start up your VPN client application. If it works like mine (http://PrivateInternetAccess.com located in Michigan, USA) it will create another entry in the routing table based on the IP address it is using for the server you happen to connect to. Now type route print again to view the new routing table. The first two lines should look something like this:

Network Destination Netmask Gateway Interface Metric
0.0.0.0 128.0.0.0 10.140.1.17 10.140.1.18 1
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.107 20

You will notice there are now two default routes—the original one for your network adapter and router as well as the new VPN route, which has its own Gateway and Interface IP addresses based on the server you connect to. Of course, your VPN service will have different IP addresses for these and may use a different Netmask as well. Since VPN is a protocol that rides on top of the normal networking protocol these table entries make sense. Once the VPN connection is established though and the correct routing table entry is made, the normal default route is not needed (second line). As a matter of fact, therein lies the problem. If the VPN connection drops (first line gets automatically deleted) the default route to your router (second line) remains and any connections in place via your P2P client or other connections will continue uninterrupted, which is what you don’t want when using a P2P client because that would expose your real IP address and DNS servers (more on DNS at the end of this tutorial).

To remedy this, you simply need to delete the default route to your router while the VPN connection is active. To do this, within the command shell window, simply type route delete 0.0.0.0 192.168.1.1 and then type route print again to verify that the “normal” default route has been deleted and only the VPN route remains (along with several other routes below the VPN route that should not affect what we are doing).

The final “feel good” test would be to now open up your P2P client and start downloading something legal and large enough to take a few minutes to test just in case your did something wrong and your real IP gets exposed briefly. I would not recommend downloading the latest Blu-Ray release of a big box office movie!

Once you start seeing the file downloading and possibly uploading, go to your VPN client application (usually in the system tray area) and disconnect from the VPN server. You should notice that all your down and up loads stop. If you use http://uTorrent.com, don’t be confused if the timers in the Peers column are still counting down or if the DHT and PEX entries still say “working”. I presume this is either a bug or just the way they designed uTorrent, since even if you physically unplug your network cable or turn off your Wi-Fi adapter, you will notice the counters still count down and the DHT and PEX entries still say “working”!

To get your VPN connection working again, you can’t just simply reconnect to your VPN because remember you deleted the default route to your router that the VPN needs initially to connect to its server. You will need to add the default route back to the routing table BUT FIRST SHUT DOWN YOUR P2P APPLICATION COMPLETELY! There are several easy ways to add the default route back:

  • Disconnect and reconnect your network cable if you are connected that way or disable, then re-enable your Wi-Fi adapter if you are connected that way. Either should automatically recreate the default route to your router.

  • Within a command window, type ipconfig /release then ipconfig /renew. This sometimes works and sometimes doesn’t in my experience.

  • Within a command window, manually recreate the entry by typing route add 0.0.0.0 mask 0.0.0.0 192.168.1.1 [metric 1 if 2]. The parts in brackets are optional and shouldn’t be needed unless you want to change the metric (number of hops) for some reason or want to use a specific device (the number after the “if”) other than your normal network adapter. Windows will pick the best metric (usually 1) and the best network adapter automatically. If you want to see how your network adapters are numbered (in hex) then just look at the first few lines in the route print output which will look something like this:

Interface List
0x1 . . . . . . . . . . . . . . . . . . . . . . MS TCP Loopback interface
0x2 . . . 00 C3 D5 35 7B 24 . . . . . Sis 900-Based PCI Fast Ethernet Adapter – Packet Scheduler Miniport
0x3 . . . 00 78 FC A9 FE 38 . . . . . .TAP-Win32 Adapter V9 – Packet Scheduler Miniport

In the above, my normal network device is device #2 (0x2). My VPN client application “device” is #3
(0x3).

Once you add the default route back, try reconnecting to your VPN server. If it doesn’t reconnect you may need to terminate then restart the VPN client application. Once you confirm it’s reconnected, go back and repeat the above steps starting with the step to delete the default route to your router.

Again, once you have a stable VPN connection working, you don’t want the default route still in the routing table. After you verify there is just the VPN route in the table (route print), it’s safe to restart your P2P application.

Final Notes

Creating Simple Batch Scripts

If you like, you can easily create tiny batch files so you don’t have to type these commands over and over. I created three batch scripts named rprint.bat, rdelete.bat, and radd.bat. To create each one, use the built-in shell editor (edit rprint.bat for example). The first script contains the line “route print”. The second script contains the lines “route delete 0.0.0.0 192.168.1.1” and “route print”. The third contains the lines “route add 0.0.0.0 mask 0.0.0.0 192.168.1.1” and “route print”. To run these batch script files from a command prompt window, type either rprint, rdelete, or radd. Note that if you are using a different command prompt window (like the PowerShell below for example) you may have to add a “.\” in front of each command when you want to run them (.\rprint for example).

Windows Command Shell

The built-in Windows XP (which is what I’m using) command shell window is very basic and sometimes difficult to read because of word wrapping. A much nicer Windows shell can be downloaded for free from Microsoft. I don’t know if this applies to Windows 7 and 8 or not. This search on the Microsoft Download Center page will produce versions you can look through http://www.microsoft.com/enus/download search.aspx?q=windows+powershell

DNS Leaks

In addition to the possibility of exposing one’s real IP address (i.e. the IP address your ISP assigns to you on a frequent basis) you need to be concerned with a phenomenon of VPN usage called DNS Leaking. There are some VPN services that claim they take steps to assure this doesn’t happen. Depending on how safe you want to feel, there are things you can do manually to make sure that even if your DNS servers get leaked, they won’t point back to you or even the area you are in.

The two steps I did was to first find the DNS server addresses that my VPN provider uses or prefers. Once I knew this, I manually typed them into the DNS fields of the TCP/IP VPN connection created in my Network Connections area by the VPN client application. I won’t go into the details of how to do that here but it’s very easy. In my case, http://PrivateInternetAccess.com uses 4.2.2.1 and 4.2.2.2 as their DNS servers. Next to be absolutely sure my DNS wouldn’t get leaked by accident, I changed my preferred ISP DNS servers to generic ones within my router (which then of course, gets used by all computers on my network that have DHCP turned on), since I don’t want anyone to know what ISP I’m using. There are lots of choices for other DNS servers and two very popular ones are Google (8.8.8.8, 8.8.4.4) and OpenDNS (208.67.222.222, 208.67.220.220, 208.67.222.220, 208.67.220.222).

IMPORTANT: If your router has more than two entries for DNS servers make sure to fill them all up even if you have to duplicate the server numbers. If you leave any blank, your router may pick up your ISP DNS numbers for those blank entries and assign them as DNS3, DNS4, etc.

Final Caution

Obviously, this technique involves multiple steps every time you want to use your VPN service and as such is prone to “pilot error”. The most important thing you can do is always double check to make sure the normal route to your router has been deleted before you start up your P2P client and always make sure your shutdown your P2P client after a VPN disconnection before starting everything back up again. Furthermore, keep in mind that Windows will recreate the default route automatically if you reboot the machine, unplug then re-plug your network connection, or disable then re-enable your Wi-Fi or other networking connection.

Disclaimer

Of course, I’m not encouraging illegal activity and I can’t guarantee that any of this information will work 100% of the time to keep you from being exposed.

Contact Info

Feel free to contact me if you need further info or if you find problems in these steps.
chewy3479[at]tormail.org

Happy secure downloading!

An excellent guide, thanks for taking the time to create this. One thing you might like to add, you can add persistent routes to your routing table, which should negate the need to add the VPN routes each time. Just use:

route -p add…

It writes a registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes

And should survive reboots.

With regard to Powershell, it’s standard issue on Windows 7 and Windows 8. In fact, with Windows 8, tools like netsh have been depreciated, so it’s now the preferred way of performing command line administration.

We could really do with a place for ‘stickies’ and this should be one…

Thanks Radaghast! Yes, I didn’t want to get into persistent routes because I thought they would be a little more dangerous for people that aren’t really familiar with this level of operating system manipulation. My VPN Client app inserts the correct routing table entry every time so I don’t have to do that manually. I only have to delete and add my default route manually–no biggie with a small script.

I took the time to type all this up because I also posted it to other forums where people were having the same concerns and questions about how to do this over and over again with mostly incorrect information being posted by others.

Yes, I know what you mean about stickies in this forum. In general I’ve noticed this forum application isn’t so great compared to many others I’ve used.

P.S. I neglected to mention one last security measure, although I admit to not knowing WHY it’s a security risk, especially in Windows XP. I went into each network device’s settings (Wi-Fi, Ethernet, VPN) and uninstalled the IPv6 protocol as I’ve read it’s highly recommended to do so.

It really depends on the VPN provider. OpenVPN 2.3 and above fully supports IPv6 but not all VPN providers have updated their environments. Basically, check with the provider.

As far as why, it will also depend on your environment. If you get both IPv4 and IPv6 from your ISP (dual stack) unless you can also route the IPv6 packets via the VPN, they’re prone to leaking. This may also be a problem with IPv6 tunnelling (teredo, 6to4, 6in4 etc.) If you don’t have dual stack and you’ve disabled tunnelling, it shouldn’t be an issue.

I see…very interesting. I’ll have to inquire on the VPN site but I doubt they support IPv6. Thanks.

P.S. Just checked…they don’t support it yet.