How To Block All Internet Traffic If Not VPN Connected...

A core mission of cryptostorm is ensuring consistent, reliable network security with minimal fuss & drama. From DNS-based services like our DeepDNS in-browser native .onion/.i2p site access, through grounbreaking research on IP6 leakblocking, & to firewall-based structures to enable "fail-closed" security, this is where we discuss & develop cryptostorm-style leakblock tech.
User avatar
Posts: 612
Joined: Sun Dec 16, 2012 6:34 am

How To Block All Internet Traffic If Not VPN Connected...

Post by Pattern_Juggled » Thu Jan 10, 2013 5:47 am

How To Block All Internet Traffic / Connections If Not Connected to a VPN
MONDAY, MAY 16, 2011

This post will outline a method using the Windows 7 Firewall to block all Internet traffic unless you are connected to your VPN.

This post assumes you have already followed the steps in the earlier post, How to only use the VPN Connection and Block ISP.

If you implement these rules, your system will have no Internet access unless you are connected to your VPN. That is to say, your system will be connected to the Internet, but no traffic can get in or out unless specifically permitted by a separate firewall rule. If a rule allowing an application exists, that application's traffic will still be able to pass through the firewall.

I have used these rules on my system without ill effect (Windows 7 Home Premium 64-bit). Depending on what other applications you use, you will likely have to create additional rules. If you break your system, don't blame me. Always back up before messing with system settings, and take notes as you go.

It is possible this method could still potentially leak data by way of the system process svchost.exe. If you attempt to block svchost.exe, your PC will not be able to communicate with your router/modem, and you really will have blocked all network functionality - i.e. nothing will work.

That being said, I have monitored VPN disconnects using TCPView and spotted no leaks - just all processes (including system processes) engaged in Internet traffic instantly changing from ESTABLISHED to TIME_WAIT, and shortly thereafter vanishing.

If this method is too restrictive / complex for you (or if you use Windows XP / 2000 or Mac OS X), you may wish to consider using a VPN service offering a VPN client that allows you to securely bind applications to the VPN, such as HideMyAss:


1. Open Windows Firewall with Advanced Security (in this guide, start at step #4)

2. Select Inbound Rules. The New Inbound Rule Wizard will appear.

3. Select Custom Rule (see below).


4. Select All Programs.

5. Select Any IP Address, for both Local and Remote.

6. Select Block The Connection (see below).


7. Select Domain and Private, leaving Private and Public unticked (see below)


8. Name your rule and click Finish. Repeat steps 1 through 8 for Outbound Rules.

9. In the Windows Firewall with Advanced Security window, select Windows Firewall Properties (see below).


10. In the resulting window, choose to block both inbound and outbound traffic for the Domain and Private profiles (see below). You may also want to block outbound traffic on the Public profile as well, but you will need to create specific allow rules for every application that needs Internet access.


You should test your configuration at this point to ensure it is working. Connect to your VPN, start up some downloads, and disconnect. All traffic should die immediately.
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

[list]✨ ✨ ✨[/list]
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github

Posts: 5
Joined: Thu Oct 10, 2013 8:53 pm

Re: How To Block All Internet Traffic If Not VPN Connected..

Post by anon » Sat Dec 14, 2013 10:41 am

What about Linux/Mac OS ?

User avatar
Posts: 288
Joined: Thu Oct 24, 2013 2:37 pm

Re: How To Block All Internet Traffic If Not VPN Connected..

Post by DesuStrike » Sat Dec 14, 2013 2:27 pm

anon wrote:What about Linux/Mac OS ?
I'm short on time but basically you do this with iptables. Look here to get a feeling how it works and how it should look. You have to modify it to work with your individual setup. There is no one size fits all solution at this time right now.
home is where the artillery hits