How to ensure Internet access is only via VPN
Solution 1
4) Firewall. Might be a viable option, but http://www.purevpn.com/win7-firewall.php says
Note: Torrents programs are an exception to this - For torrents this method is only 99% effective leaving 1% chance of data leak.
I'm not sure why that is and the page doesn't give details, but it's a bit worrying.
PureVPN's suggested settings use port-based blocking. This may let some traffic through, as remote torrent clients can listen on every port they want to.
If you use IP-based blocking instead (or both), that flaw is eliminated.
Solution 2
Definitely the 4th option - but ideally firewall on your router rather then PC. I could not find the reference to the data leak, but it sounds like a lot of FUD to me. (It could also be to do with DNS lookups leaking that you are looking up a particular domain name and these being trapped. The key here is to ensure DNS requests also go through the VPN - if you are worried about DNS leaking information about you)
Related videos on Youtube
EM0
Updated on September 18, 2022Comments
-
EM0 over 1 year
I have a Windows 7 machine with a regular wired Internet connection, configured via DHCP. It has a VPN connection set up. How can I ensure that Internet access is allowed only over the VPN? That is, before the VPN is connected I want there to be no access to the Internet (except to the VPN server). If it disconnects or fails for any reason I want there to be no access as well.
I've already read the guides on this and there seem to be basically 4 answers, none of which work reliably for me:
1) Run some software that detects when the VPN disconnects and block Internet access. I don't want to rely on this, even if it mainly works. I want a "secure by default" solution.
2) Remove the default route that goes via the real gateway. This almost works, except that sometimes (not all the time) when the VPN disconnects that default route has magically re-appeared. Perhaps it happens during a DHCP refresh, I'm not sure.
3) Add a fake default route that goes via a non-existent gateway, with a lower metric than the real default route. This didn't work for me. The route is added, but before I connect to the VPN I still have Internet access.
route print
shows this:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 1.2.3.1 1.2.3.123 276 0.0.0.0 0.0.0.0 192.168.198.250 192.168.198.1 22
where 1.2.3.1 stands for my real gateway and 192.168.198.250 is a fake gateway on a VMware adapter. It uses the real gateway even though the fake metric is lower. I've also tried adding a fake gateway on the real network, but its metric always ends up higher - the "metric" parameter of
route add
seems to be relative to the interface metric.4) Firewall. Might be a viable option, but http://www.purevpn.com/win7-firewall.php says
Note: Torrents programs are an exception to this - For torrents this method is only 99% effective leaving 1% chance of data leak.
I'm not sure why that is and the page doesn't give details, but it's a bit worrying.
-
ganesh about 11 years1) How are you going to establish the VPN if you have no access to the Internet? Add a specific route to the VPNs address? 2) Is setting up a VPN on the router an option? No need to mess with the local PCs. Or for them to mess up.
-
EM0 about 11 years1) Yes, I mean "no access except to the VPN server" - edited. 2) It's an option, but I'd prefer a more general solution that can work on any Windows PC connected to the Internet in any (reasonably standard) way.
-
EM0 about 11 yearsThanks, Dennis, looks like firewall is a 4th option. I've edited the question.
-
-
EM0 about 11 yearsThanks, that makes sense - they should have said so on the page
-
EM0 about 11 yearsOK, I'll give it a try. Agree that router is better, if possible. If I'm using a laptop at some wireless hotspot, though, I suppose Windows Firewall will have to do - unless there is some better option?
-
EM0 about 11 yearsAccepting this (firewall) as the answer, but I'll probably use it in combination with removing the default route - it's easy enough to do and it's just an extra level of safety.