Monday, January 17, 2011

How to Always / Only Use VPN Connection and block ISP - Make Bittorrent only use VPN Connection

VPNs are great for added security when using the Internet - but what about when the VPN drops or disconnects? Unfortunately, if you use Windows (any version), any running application (for example, BitTorrent, your browser) will revert to using your ISP connection, exposing your IP address and opening you up to security and privacy issues. This is of particular concern when using a VPN to secure a public wi-fi spot. Windows will not prevent traffic in the event of a disconnect.

There are many guides found online to prevent this using third-party firewalls such as Comodo, or using a third-party applications such as VPNetMon or VPNCheck (neither of which I know anything about, and cannot speak to their reliability or safety).

This guide will show you how to configure Windows 7 Firewall to block any specified application (I have used Firefox as an example - but you can pick any application, e.g. utorrent or your preferred torrent client) from using your ISP connection, and permit it to connect the the Internet using only the VPN connection. Users who are unfamiliar with the basic aspects of Windows 7 Firewall may wish to consult this guide. Unfortunately, this will not work with the built-in firewall in Windows XP or Vista.

If the method described below does not work for you (or perhaps you don't want to mess with your firewall, or you use Windows XP / 2000 / Vista / Mac OS X), consider using a VPN that offers a client with IP Binding, which will prevent any selected application(s) from accessing the Internet in the event of an unexpected disconnection.

Buy VPN

privateinternetaccess.com features PPTP, L2TP and OpenVPN options on a fast, secure (and P2P-friendly!) network and has Windows and OS X clients that prevent leaking in the event of unexpected VPN disconnection. privateinternetaccess takes anonymity seriously.



Preliminary Considerations:

1. If you use an antivirus program such as avast! that has a Web Shield / Filter that passes HTTP traffic through an antivirus/malware scan, you may want to consider this post.

2. The IPv6 functionality in Windows 7 can also leak IP information - you may wish to disable it - see the guide here.

3. After you complete the steps in this guide, you may want to consider adding a rule to block all traffic that does not match a rule to the Domain and Private profile. See the guide here.

4. If you want to create these rules for one user account, and maintain less strict rules for another user account, please see this post

5. If you are blocking a torrent application such as uTorrent, you'll want to disable uTP, DHT, UPnP, Local Peer Discovery and IPv6.

Steps:

1. Connect to your VPN as you normally would. 

2. Open the Network and Sharing Center - right-click on the Internet connection icon in the taskbar and choose "Open Network and Sharing Center" (see below)


3. You should see (at least) two networks listed under "View Your Active Networks" - your VPN connection and one called "Network" - a.k.a. your ISP Connection. Ensure that your VPN is a "Public Network", and your ISP connection is "Home Network". If you need to change either connection, click it and an option window will appear (see below).



4. Go to the Control Panel and click System and Security (see below).




5. In the resulting window, click Windows Firewall (see below).



6. In the Windows Firewall  window, click Advanced Settings on the left pane (see below).  
Note: You must be logged in as an Adminstrator to make changes to the Firewall Settings.




7. You should see a window titled Windows Firewall with Advanced Security. In this window, click Inbound Rules (see below).




8.  On the right pane, you will see an option for a New Rule. Click it (see below).



9.  In the New Inbound Rule Wizard (which should appear), do the following:

  •  Choose Program and click Next.


    •  Choose the program you wish to block all traffic to except on the VPN connection, and click next.

    •  Choose Block the Connection.

    •  Tick Domain and Private. Make sure Public is left unticked.

      10. Repeat Step 9 for Outbound Rules.

      When all of the above steps are complete, you should test the configuration. Run the application you made the rule for, and test that it is working when the VPN is connected. Start a download, and then disconnect from the VPN. If all is configured properly, the download should die immediately as the firewall will immediately block it from using your ISP-assigned IP address. If you wish to monitor traffic closely, use TCPView.


      26 comments:

      GLM said...

      Thanks for this great post.

      Will this also work in XP?

      practicalrambler. said...

      Unfortunately not. The XP Firewall is pretty weak.

      FJ said...

      Thanks for this post. Is there any advice you could give on how to make this work for ALL programs? I have tried using your steps and simply checking "block all programs" however when I do my VPN automatically drops out and I can't connect back.

      I basically want my internet to completely shut off when my VPN disconnects. Any ideas to make this work as painless as possible?

      Thanks so much.

      practicalrambler. said...

      FJ: This is as close as I've come:

      http://practicalrambler.blogspot.com/2011/05/how-to-block-all-internet-traffic.html

      Hope this helps.

      Too many to list said...

      Thank you practicalrambler for the tutorial. It works just as described. Please continue to write your informative postings!

      Edward M. Meshuris said...

      This is a great post, works perfectly! Now how about Mac?

      practicalrambler. said...

      Thanks Edward, glad to help. Not sure what to tell you for a Mac other than that I believe HideMyAss's client will secure bind on Mac (BLATANT plug!) Seriously though, no clue about Macs :)

      Tim S said...

      Ok, I got this working but when I connect to the VPN, ALL traffic goes through the VPN. Is there a way to have ONLY uTorrent traffic go through the VPN?

      practicalrambler. said...

      Tim S: you'll have to use more advanced routing. See: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/route.mspx

      Warning: it'll be somewhat tricky. :)

      rengtangle said...

      i did everything, but i still can't open my utorrent program whenever i am connected to my vpn.

      Gums said...

      Didn't work. Maybe its because I also use Norton 360 for my firewall. Can I disable Norton? Now what???

      practicalrambler. said...

      Gums: Try disabling Norton and see if it works. If so, there's your problem. I don't use Norton but it likely uses a local proxy to scan network traffic. I had the same problem with Avast. You may be able to disable that part of Norton.

      practicalrambler. said...

      Gums: Try disabling Norton and see if it works. If so, there's your problem. I don't use Norton but it likely uses a local proxy to scan network traffic. I had the same problem with Avast. You may be able to disable that part of Norton.

      Gums said...

      rambler:
      Took down Norton firewall. Nothing. You mentioned,"you'll want to disable uTP, DHT, UPnP, Local Peer Discovery and IPv6." Where can I find that? The only thing I could find was under the Inbound rules and they were: uTorrent (TCP-IN) and uTorrent (UDP-In). Both disabled and still nothing. I doubt if Windows firewall can be tweaked in tandem with Norton 360 managing the firewall. Even when its disabled. Using my home ISP uTorrent still runs like tap water! Yikes! What now?

      practicalrambler. said...

      uTP, DHT etc. are uTorrent setting. You can find them in the uTorrent config. You may be correct that Norton360 is managing the firewall and causing the issue. I'm not sure what the problem is on your particular configuration. I know nothing about Norton360 as I've never used it before.

      I do note you said you "disabled" the uTorrent rules in the firewall - do you mean you disabled them, or BLOCKED them? Blocking is key, disabling a rule won't do you any good.

      Vernon said...

      Can I use your instructions with the HideMyAss! client? ... or do I have to use PPTP?

      Thanks.

      practicalrambler. said...

      Vernon:

      I suppose you could, however the HideMyAss client's "Secure IP Bind" feature should be sufficient on its own. You can still apply the firewall settings to individual applications if you choose to.

      Dreatori Alexis said...
      This comment has been removed by a blog administrator.
      OldNick said...

      Nice - will implement this.

      Any way to get all the local traffic on my home network to not try to use the private network? When my VPN is active my machine does not access my network printer (presumably becuase it is trying over the VPN

      Any help appreciated.

      practicalrambler. said...

      OldNick: Wish I could help, but I don't have any networked printers to experiment with. It's a good question though. If you resolve it I'd love to hear how!

      Syntax4Sinners said...

      Just like to thank You practicalrambler for your share of wisdom. This stops my 'arse in the wind' when my VPN goes down and I not at my machine . Works great W7x64 using Windows Firewall Control 3.1.0.3 (extension of Windows own FW)

      Unknown said...

      Great guide but what about DNS leak fix and Computer ID protection?

      All of that is taken care of by VPNCheck Pro and more.

      Scythe Vendetta said...

      This works for Firefox , but not utorrent , no matter what I do . Utorrent is continue downloading.

      Brendon said...

      Excellent. I had my VPN drop overnight and knew there had to be a solution...mine didn't work but yours does! And it more simple! Thanks.

      ProPessimismTheNewBetterWayToLive ... said...

      Yo Baby!
      A Tutorial, which saved my Perma_Noob ass, about three months of work.
      It's not that I can't figure it out, but have you ever found yourself reading log files that are 18,456 lines long?
      Wanna have some real fun?
      Do the IPv6 thing, which TY to Mr. Rambler here, who should be named a National Hero, at the very minimum, I confirmed what I "thought", I read in the 75th white paper- IPv6, "leaks". Gee Whiz, now how about that ... Dang 'nabbit and I 'gotta say here, I 'ain't smart, we know that, but if 75 million people are working on it, I guess that "leaking deal", just might be one of those things that make you go ... "We are so F***ed! Because one or two of those 75 million people would fix that "leak", or maybe it's just one of those technology deals, where the more you work on it, the worse it gets. Isn't it great to have something working, well just fine, in fact it's perfect! Then, you get an "update", and it stops working. I like that. When that happens, sometimes I get a sliver of a glimpse into another dimension and I finally understand how all those "Advanced", Civilizations", we know about, ended up not doing so well. They kept, "updating" everything until it was flat-ass broken. That's Great. What impedes that sort of progress? Well, people, like the 'practical rambler', who find out stuff and in a kind and neighborly way, share it with others, then, in some 'kinda weirdo sci-fi thing", those people are reminded of what giving was like and sometimes they can compare it to taking all the time, and they go out and do the one which made 'em feel better. It's not like cash money, but you can spend it ten thousand ways.
      au revoir

      Fetter Frank said...

      Easy as pie. Thanks a bunch.