There is a computer connecting to a VPN. The network should remain offline, if the machine can't reconnect to the VPN. It should not ever use the normal connection. Only the VPN one.
Is there a way to set this behaviour up?
The machine is used locally, so there is no need to reach it from the network or anything.
Client OS: Windows 7 Professional x64 SP1
Answer
This can be achieved by configuring a firewall to allow only connections to the VPN provider's IP and/or the TCP port 1723 and the UDP port 47.
If you're using several VPN providers, port-based blocking is easier. If not, IP-based blocking is more secure. In any case, you can use both.
For example, you can configure Windows Firewall to do this:
Let's assume you're using
superfreevpn.com
(69.60.121.29
).Connect to the Internet and your VPN.
Press Win + R and execute
control /name Microsoft.NetworkandSharingCenter
.In View your active connections, click the link Home/Work/Public Network below your Internet connection and choose Public network.
In View your active connections, click the link Home/Work/Public Network below your VPN connection and choose Work network.
Press Win + R and execute
WF.msc
.In Windows Firewall with Advanced Security on Local Computer, click Action, then Properties, go to the Private Profile tab and set the following:
Firewall state: On (recommended)
Inbound connections: Block all connections
Outbound connnections: Allow (default)Port-based
In Outbound Rules, click Action, then New Rule... and select the following:
Port
TCP
Specific remote ports: 1-1722, 1724-65535
Block the connection
Public
Public TCPIn Outbound Rules, click Action, then New Rule... and select the following:
Port
UDP
Specific remote ports: 1-46, 48-65535
Block the connection
Public
UDP
IP-based
In Outbound Rules, click Action, then New Rule... and select the following:
Custom
All programs
Any
Any IP address
These IP adresses
Add
This IP address range -> From: 0.0.0.0 To: 69.60.121.28
Add
This IP address range -> From: 69.60.121.30 To: 255.255.255.255
Block the connection
Public
Non-VPN
Since we've blocked all non-VPN DNS queries now,
superfreevpn.com
won't get resolved.Either modify your VPN connection by replacing the hostname by its IP, or add the following line to
%windir%\system32\drivers\etc\hosts
:69.60.121.29 superfreevpn.com
Loosely adapted from How to configure firewall such that when VPN disconnects, all browsing stops.
No comments:
Post a Comment