Enabling VPN-only access to the Internet with Windows Firewall (kill switch)

Windows Firewall could be used for blocking access to the Internet when no active VPN connection is available (kill switch).

1. Run Windows Firewall:

Start → Control Panel → Windows Firewall → Advanced settings

2. Create a rule for allowing connections for OpenVPN:

Go to Outbound rules, and click New rule...

Choose Program as Rule type

Choose the full program path to openvpn.exe (usually C:\Program Files\OpenVPN\bin\openvpn.exe).

Or choose the path to C:\Program Files\Viscosity\Resources\OpenVPN\openvpn.exe if you use Viscosity.

Choose Allow the connection as Action:

Check all profiles:

Use OpenVPN allow as the name of this rule:

3. Go to Windows Firewall Properties and set blocking outbound connections by default for all profiles, except Public.

4. Ensure that your current ISP's network connection has Home or Work profile.

Control Panel → Network and Internet → Network and Sharing Center

New networks (e.g. Wi-Fi networks) have to use Work profile (Home is less secure) for a correct configuration.

Testing

Run cmd.exe and execute ping 8.8.8.8 to be sure that everything is configured properly.

Now access to the Internet is available only over VPN connection set up by OpenVPN.

Rule for DNS

Outbound DNS requests are allowed for all network profiles by default. This rule can be disabled if it's a reason for de-anonymization in your case.

Go to Outbound rules, choose Core Networking - DNS (UDP-Out) and click Disable Rule in context menu:

Also you could analyze and disable other firewall rules that are enabled for all network profiles.

Any connections to VPN server by hostname will not be available after disabling Core Networking - DNS (UDP-Out) rule. But if a configuration file has an option to connect by IP address also (true for ZorroVPN), connection to VPN server will start in a few seconds.

21.09.2015 © ZorroVPN