Configuring to Block All Non-VPN Traffic

Thanks also for the guide and your time :slight_smile:
I’m learning all the time thanks to you guys :-TU
I am gonna try and implement this on my system sometime over this wkend
I’ll update as to how I get on…

You are quite welcome. I’m quite certain it will work if not exactly as outlined then very close. :slight_smile:

I tested the method pretty extensively after I read this excellent article(SecurityKiSS VPN with Free plan) at SecurityKiss’s website
All I found after the tests is that CPF actually works better for that.

On XP, the deleted default route came back very often after VPNs dropped.
The things seemed to have improved with Windowns 7 and 8 (I didn’t tested it so often on them!), but I still saw it come back sometimes, like when I connected a VPN without switching my IP from DHCP to Static.

Plus, the method didn’t work for a DNS leak anyway!

OTOH, CPF never failed to prevent those leaks when VPNs dropped.

AirVPN’s website has an excellent guide for it(AirVPN - Security check).

I’m not sure you need all of them, as I only use rule 8 & 10 and they work perfect!
(I use a VPN for just anonymous surfing, which might be reason, though…)

BTW, speaking of an IP leak…,

I made this post(https://forums.comodo.com/comodo-trustconnect-ctc/true-ip-detected-by-https-t81597.0.html) just a year ago.

I found my true IP was detected at those HTTPS based ip check websites because I had OpenVPN and Hotspot Shield installed on my PC…

A possible problem that may have been prevented by the addition of a low metric for the VPN route and also disabling Automatic metric in the OS.

Plus, the method didn't work for a DNS leak anyway!

Did you disable the DNS client service and manually specify the preferred DNS servers?

OTOH, CPF never failed to prevent those leaks when VPNs dropped.

AirVPN’s website has an excellent guide for it(AirVPN - Security check).

CIS does very well with the right configuration and AirVPN are very good providers.

I'm not sure you need all of them, as I only use rule 8 & 13 and they work perfect! (I use a VPN for just anonymous surfing, which might be reason, though....)

You don’t need all, just those for your environment. There are also quite a few variations on those rules.

BTW, speaking of an IP leak...,

I made this post(https://forums.comodo.com/comodo-trustconnect-ctc/true-ip-detected-by-https-t81597.0.html) just a year ago.

I found my true IP was detected at those HTTPS based ip check websites because I had OpenVPN and Hotspot Shield installed on my PC…

I’ve not seen any issues with OpenVPN installed, however, I’ve never use Hotspot shield…

Thanks for the links Katelee…there is some good info here.

Radaghast,
Thanks for the reply.

I’m no techie and so not sure what you mean, but if you are talking about SecurityKiss’s method to delete a default route, I think it uses the interface ID, instead of the metric, to specify an intended adapter.

I’m not sure about it, too, but would you please tell me how to “disable Automatic metric in the OS”?

I don’t think it’s a good idea.

This will cause an IP leak if the deleted route has been already restored when a VPN drops, which actually happened during my test.

I think you might as well use #5 in solution B here(http://www.dnsleaktest.com/how-to-fix-a-dns-leak.php), instead.
(For XP, use “1.1.1.1” or “none”, instead of “0.0.0.0”.)

Anyway, I think, we still need CPF to prevent a deleted default route from being restored.

I read somewhere that, if you unplug your LAN cable, wait for 10-20 secs, and then plug it in, your ip table will be renewed and the deleted route will be restored.

In fact, SecurityKiss’s OpenVPN client will delete it whenever a deleted route is restored.

Unfortunately, when I saw it happen last summer, 6 months ago, I was easily able to cause an IP leak for a couple of secs, b/w I plugged my LAN cable in and the client finished deleting the route.

I know, I know… I had better not use it!

But, I’m really cheap and I don’t want to pay anything for my Internet security solutions, including VPN services, and love free stuff(, which is why I love Comodo! ;)).

The free version of CTC is kind of slow, while HS is pretty fast lately and I don’t see any drop in speed while using it.

So, HS had been my default VPN solution for 5-6 yrs and I had used CTC for online shopping only., until I found it out…

BTW, HS is an OpenVPN-based VPN and, I heard, it also installs some kind of a proxy to inject ads into web pages, which seems to confuse network traffic from other OpenVPN services.

I played around with disabling/uninstalling Hotspot Shield’s Tap adapter and driver.
And then, I sometimes connected to Hotspot Sheild’s VPN while using CTC and vice versa…

Steve,
Thanks for the reply.

I’m sorry if you felt I tried to hijack your thread.

I just wanted you to read my old thread, as I visited the forum of your VPN service and saw a member saying s/he installed Hotspot Shield, Spotflux and Cyberghost on the PC and so was wondering if you could ask this person to go to https://www.whatismyip.com and see what happens…

Thanks again for this guide
I have successfully modified my routing table for only VPN.

I found the SecurityKISS link http://www.securitykiss.com/resources/articles/exclusive_tunneling/ was pretty useful also.
Although Yours is the first guide of this type that I have seen, despite looking! I suspect it may have “legs”
:-TU :-TU

AWESOME! Glad it worked. Make sure you cover the DNS leakage issue also. It’s almost as bad a problem as IP exposure. I’m always amazed that these “small” VPN companies being so technical suck so much at providing proper documentation. It’s completely pointless to pay for a VPN service if you don’t have solutions for these two problems and they don’t seem to care. Worse, they are providing a false sense of security for people who use their services in some cases.

One other command that’s sometimes useful is route -f which does a complete flush of the routing table back to defaults after which you would typically have to do the route add 0.0.0.0 mask 0.0.0.0 192.168.1.1 command to get your default route back. Normally the OS does a pretty good job of managing the table all on it’s own though since the routing table is an automatic reflection of what’s physically happening in the computer (VPN clients starting and stopping, Ethernet cables being plugged and unplugged, Wi-Fi being enabled, and disabled, etc.

I hope my detailed explanation and instructions goes viral! ;D

The metric is simply a value assigned to a link based on such things as speed of the link, latency, hop count etc. Typically, the lower the metric the more likely the interface will be used.

As far as where to find it:

  1. Open the properties of th network adapter
  2. Select IPv4
  3. Select Properties
  4. On the General page select Advanced
  5. Under Default Gateways select Add
  6. Disable the check box
I don't think it's a good idea.

This will cause an IP leak if the deleted route has been already restored when a VPN drops, which actually happened during my test.

I think you might as well use #5 in solution B here(http://www.dnsleaktest.com/how-to-fix-a-dns-leak.php), instead.
(For XP, use “1.1.1.1” or “none”, instead of “0.0.0.0”.)

It’s the same thing. It’s simply ensuring the only DNS servers available are those of the VPN provider.

Anyway, I think, we still need CPF to prevent a deleted default route from being restored.

Nothing wrong with having some extra protection.

I read somewhere that, if you unplug your LAN cable, wait for 10-20 secs, and then plug it in, your ip table will be renewed and the deleted route will be restored.

In fact, SecurityKiss’s OpenVPN client will delete it whenever a deleted route is restored.

Unfortunately, when I saw it happen last summer, 6 months ago, I was easily able to cause an IP leak for a couple of secs, b/w I plugged my LAN cable in and the client finished deleting the route.

I know, I know… I had better not use it!

I guess you could always configure the default network card with a static IP address and leave the gateway empty…

But, I'm really cheap and I don't want to pay anything for my Internet security solutions, including VPN services, and love free stuff(, which is why I love Comodo! ;)).

The free version of CTC is kind of slow, while HS is pretty fast lately and I don’t see any drop in speed while using it.

So, HS had been my default VPN solution for 5-6 yrs and I had used CTC for online shopping only., until I found it out…

BTW, HS is an OpenVPN-based VPN and, I heard, it also installs some kind of a proxy to inject ads into web pages, which seems to confuse network traffic from other OpenVPN services.

I played around with disabling/uninstalling Hotspot Shield’s Tap adapter and driver.
And then, I sometimes connected to Hotspot Sheild’s VPN while using CTC and vice versa…

Free is always good :slight_smile:

Radaghast,
Thanks for the tip.

I entered the IP address of my default gateway in “Gateway” and ‘1’ in “Metric” but it didn’t work on XP(, I mean, the deleted route still came back).

Am I doing something wrong here?

IMO, they are Not the same

Dnsleaktest’s solutions not only force your VPN’s DNS servers to be used, without your providing tthe DNS server addresses, but also “partly” prevent an IP leak.

I said “partly” because, while using the fix, I got the ping to respond with “connect” after my VPN drops, but yet, I couldn’t load any pages and download anything.

So, I am assuming that it would save us from an IP leak in case a deleted route comes back, to some extent…

OTOH, if you assign an IP of a “real” DNS(, instead of one of a “fantasy” DNS), as Steve’s method tells you to do, it will cause an IP leak when a VPN drops and a deleted route has been already restored…

Yes, in order for the "DNS leak fix’ (and Steve’s “IP leak fix”) to work properly, you do absolutely need to switch to a static IP address before connecting to a VPN.

As for the gateway IP addresses, I’m not sure if “1.1.1.1” is some fantasy address or not, as “0.0.0.0” of “Network destination” in a route table refers to “any IP”, but it is the address that VPNCheck’s website suggests.

Anyway, the empty address(“none”) works just fine and it is actually the address “Solution A” on dnsleaktest.com uses for #5 in “Solution B”.

As I mentioned in the previous post, as far as I observed in my tests, using CPF(CFP? I mean, Comodo Firewall) is much more effective in terms of blocking those leaks and, I think, it is sufficient.

I know that the guide on AirVPN’s website looks fairly intimidating to many of you.
However, it actually took me only 20 mins to finish the configurations.

Plus, I use only three of AirVPN’s rules: 6) block all traffic(I forgot this in my previous post); 8 ) allow traffic to/from my TAP adapter; and 3) allow traffic to/from my VPN.

I don’t know why they need the other rules(, as I don’t know what the meanings of them are ;)…)
I guess the rules for those who live in a country like China or UAE or those who do P2P.
(Actually, I don’t view a stream video via VPN, which, I assume, many VPN users enjoy, but I doubt those who do need the rules…)

Anyway, those three rules alone work really great for my VPN use(browsing the net, checking my emails, and downloading files).
Also, in this rule set, the less rule, the more protection, right?

Having said that, I use both the firewall method and Steve’s method to secure my VPN connections.

While the firewall method is more effective, I feel Steve’s method is more appropriate.
I mean, when a VPN drops, the ping response to Steve’s method is “Destination Host Unreachable”, while that to the firewall method is “Request timed Out”.

Plus, I don’t see any negative impact on the performance of my VPN, such as speed, by using both.
(As a matter of fact, I’m too lazy to use the protections these days and so I can’t confirm that now, though ;D.)

So, I use Steve’s method as the primary protection against IP and DNS leaks, while I regard the firewall method as a mean to a deleted default route from being restored…

Well, I think I got hacked while connecting to a free VPN at g*sv.com :-[(, which was actually when I was writing my last post…).

edited - censored the site name and added ‘*’ just in case…