Tuesday 24 December 2019

vpn - How to safeguard PPTP connection - Windows 7?


There is a computer connecting to a VPN. The network should remain offline, if the machine can't reconnect to the VPN. It should not ever use the normal connection. Only the VPN one.


Is there a way to set this behaviour up?
The machine is used locally, so there is no need to reach it from the network or anything.


Client OS: Windows 7 Professional x64 SP1



Answer



This can be achieved by configuring a firewall to allow only connections to the VPN provider's IP and/or the TCP port 1723 and the UDP port 47.


If you're using several VPN providers, port-based blocking is easier. If not, IP-based blocking is more secure. In any case, you can use both.


For example, you can configure Windows Firewall to do this:




  1. Let's assume you're using superfreevpn.com (69.60.121.29).




  2. Connect to the Internet and your VPN.




  3. Press Win + R and execute control /name Microsoft.NetworkandSharingCenter.




  4. In View your active connections, click the link Home/Work/Public Network below your Internet connection and choose Public network.




  5. In View your active connections, click the link Home/Work/Public Network below your VPN connection and choose Work network.




  6. Press Win + R and execute WF.msc.




  7. In Windows Firewall with Advanced Security on Local Computer, click Action, then Properties, go to the Private Profile tab and set the following:


    Firewall state:        On (recommended)
    Inbound connections: Block all connections
    Outbound connnections: Allow (default)


  8. Port-based




    • In Outbound Rules, click Action, then New Rule... and select the following:


      Port
      TCP
      Specific remote ports: 1-1722, 1724-65535
      Block the connection
      Public
      Public TCP


    • In Outbound Rules, click Action, then New Rule... and select the following:


      Port
      UDP
      Specific remote ports: 1-46, 48-65535
      Block the connection
      Public
      UDP


    IP-based




    • In Outbound Rules, click Action, then New Rule... and select the following:


      Custom
      All programs
      Any
      Any IP address
      These IP adresses
      Add
      This IP address range -> From: 0.0.0.0 To: 69.60.121.28
      Add
      This IP address range -> From: 69.60.121.30 To: 255.255.255.255
      Block the connection
      Public
      Non-VPN




  9. Since we've blocked all non-VPN DNS queries now, superfreevpn.com won't get resolved.


    Either modify your VPN connection by replacing the hostname by its IP, or add the following line to %windir%\system32\drivers\etc\hosts:


    69.60.121.29    superfreevpn.com


Loosely adapted from How to configure firewall such that when VPN disconnects, all browsing stops.


No comments:

Post a Comment

How can I VLOOKUP in multiple Excel documents?

I am trying to VLOOKUP reference data with around 400 seperate Excel files. Is it possible to do this in a quick way rather than doing it m...