Configure windows firewall, to only allow VPN traffic

0
votes

It is possible to block a specific application when VPN is not connected. Block torrent program if VPN is not connected. The essence is simple: Windows has two network groups "Public" and "Private". The application is blocked when you are on the Private network, but is not blocked over the Public network.

What I want is to allow the VPN connection to be made over the Private network connection, but don't allow ANY other connections over Private (nor inbound, nor outbound). Then, when the VPN connection is made (Public network) allow all connections over that Public network.

My ethernet connection is set to Private network, my VPN is set to Public network.

Outound rules:

  • In the Private Profile, I set "Outbound connections:" to "Block" (allow is default)
  • In the Public Profile, I set "Outbound connections:" to "Block" (allow is default)
  • I removed all outbound rules, besides mDNS (UDP local 5353 to remote any)
  • I added a rule: allow, all profiles, UDP, local port any, remote port 53 (for DNS lookup)
  • I added the VPN program: All profiles, Allow, any protocol, any local port, any remote port

Inbound Rules:

  • I added the VPN program: All profiles, Allow, UDP & TCP, any local port, any remote port

So far, so good! With these configurations, my VPN program can create a connection, and obtains a new IP address. However, all other connections are still blocked.

Now the problem, I created one more outbound rule to allow everything for the Public profile. Windows firewall tells me that both the Private and Public profile are active (when VPN is connected). Though, when i open Firefox I have no connection at all...

  • If I set that last outbound rule to allow all for private, I have a connection when the VPN drops, but NO connection when VPN is on.
  • If I set that last outbound rule to allow all for public & private, I have a connection both when VPN is connected and not.

My Question: What do I need to change to allow all when Private & Public network are active, but block when only Private is active.

note: I also tried to allow all outbound by default, and set a rule to block all outbound under private. So far this method failed as well. It seems as if the Private rules override the Public rules?

1
windowsfirewallwindows-firewall

1 Answers

2
votes

It seems you do all right except your VPN connection must be in a "Private Network" group and your WAN broadband connection in a "Public Network" group to have it working with your firewall settings.

Simply change in "Network and Sharing Center" your active VPN connection to "Work Network" and WAN broadband connection to "Public Network" to do so.

Firewall should "Allow" all Outbound connections for a "Private Profile" but "Deny" all Outbound connections for a "Public Profile" and "Domain Profile (Win7 only)".

It works on Windows 7/8/8.1/10