Jump to content
TorGuard
TorGuard

How to create killswitch with Windows 7/8/10 Firewall

Rate this topic

Recommended Posts

How to create VPN Killswitch with Windows 7/8/10 Firewall

Stop leaks when VPN disconnects.


 

Introduction

Having troubles with your VPN disconnecting and exposing your true IP address(es)? With the Windows firewall you can eliminate accidental leakage. What's the difference between TorGuards VPN Client killswitch and a Firewall killswitch? Simple, the client disables your main network interface, while the firewall simply blocks all traffic without disabling any network interface.

 

The main problem with any third party application that disables your network adapter is when the VPN connection is terminated, there is a very small window where your IP address can be leaked. Let's not forget to mention that if the client cannot disable the adapter, perhaps due to: security suite, permissions, or when a malfunctioning operating system interferes. A firewall, especially Windows Firewall will have minimum chances of failure if configured correctly; it is arguably the best firewall for Windows in my opinion.

 


 

Requirements:

  • TorGuard VPN Client
  • Windows (Tested with 7/8/10)
  • No third-party firewall

 

Step 1: Setting main network adapter from Public to Private

 

  • Press WinKey+R to bring up the runbox

    69PIcoY.png

  • Enter: control.exe /name Microsoft.NetworkAndSharingCenter

    C9ZbX8q.png

  • Press WinKey+R to bring up the runbox

    5bmlygs.png

  • Enter: secpol.msc
  • Select Network List Manager Policies from the left pane

    2DkIgOd.png

  • Double click on Network(name may differ) from the right pane

    ed9Afkt.png

  • Select the Network Location tab

    lzMuZCq.png

  • Change Location type to Private

    g6SRMOB.png

  • Change User permissions to User cannot change location

    xxUappp.png

  • Click Apply — This is what you should see:

    piD4ZzX.png

 


Step 2: Open Windows Firewall with Advanced Security

 

  • Press WinKey+R to bring up the runbox

    CPGpnsb.png

  • Enter: wf.msc

 


Step 3: Backup Current Firewall Policy

 

  • Click Action from the top menu bar >> Select Export Policy...

    J58lDXn.pngR5kly27.png

  • Save to Desktop or other location
  • If you mess up your firewall rules some how, you can always Import Policy... to restore
  • Click Action from the top menu bar >> Select Restore Default Policy — This will revert your firewall to default.

    CAWVsBm.pngyJdgWZF.png

 


Step 4: Create Outbound Rule

 

  • Select Outbound Rules on the left pane

    1UWVpnK.png

  • Click New Rule... on the right pane

    qz5aV2D.png

  • Rule Type > Program

    N6XlV1S.png

  • Program > This program path: C:\Program Files (x86)\VPNetwork LLC\TorGuard\openvpn.exe

    C3W7897.png

  • Action > Allow the connection

    2v9wSRG.png

  • Profile > Domain/Private/Public all checked

    6aW5Yhf.png

  • Name > Name: _TorGuard_ALLOW

    5Trrzjn.png

 


Step 5: Block all Connections for Private/Domain

 

  • Select Windows Firewall with Advanced Security on Local Computer on the left pane

    yfqrsOq.png

  • Click Windows Firewall Properties on the middle pane

    U7ajRXK.png

  • Under the Domain Profile and Private Profile change Outbound connections: to Block

    0tV2KSM.pngPhj21PV.pngxI4mEqZ.png

 


Step 6: Giving internet permission to applications manually

 

  • Select Outbound Rules on the left pane

    1UWVpnK.png

  • Click New Rule... on the right pane

    qz5aV2D.png

  • Do the same as the TorGuard rule you created, but this time only select the "Public" network space.

    vlxt6Bx.png

 



 

Final Notes + WARNINGS

  • If you ever get a firewall popup to add program, make sure to uncheck Private networks and only have Public networks checked before clicking Allow access; If you fail to monitor this, the killswitch will be pointless.
  • Never allow any program to automatically add firewall exceptions. You should only do this manually or whenever you get prompted by Windows Firewall. This isn't a setup and forget solution.
  • Existing firewall rules that are assigned the Private/Domain network spaces will be able to still connect, usually it's just local network related stuff. It would be good if you reviewed all rules and adjust them accordingly to your needs.
Edited by TorGuard
  • Like 2

Share this post


Link to post
Share on other sites

If I just use torguard on a virtual machine, and not for my regular traffic, do I still select openvpn as the program in the first rule or do I choose the torguard client program ?

Share this post


Link to post
Share on other sites

If I just use torguard on a virtual machine, and not for my regular traffic, do I still select openvpn as the program in the first rule or do I choose the torguard client program ?

 

Yes, openvpn.exe is primarily used to connect to TorGuard's VPN servers. You can also create an extra rule for the TorGuard desktop client if you want, so it can update it's self while disconnected.

Share this post


Link to post
Share on other sites
I have followed your tutorial but I have some queries.
 
I am using the following software on my server :
Emule,QBtorrent, Desktop remote,Teamview,Plex
I asked Torguard to open port so I have a static IP.
 
 
 
I set Torguard to arm killswitch and I select interface ethernet 
This setting is a pain. If the vpn is disconnect I can use remote desktop because ethernet card is off but at least I thought it was safe.
Unfortunately I came accross a problem with Torguard client.  One day It has been shutting down without notice. 
Emule passed to use ethernet instead ethernet 2 (VPN) So I was exposed    
 
1)By using this tutorial I dont need to arm killswitch ?But maybe it can be a good idea use app kill on Torguard and in another app like VPNwatcher to add security
 
2)Qtorrent doesnt need that because it use always ethernet 2 ?
 
3)should we create rules on inbound as well?
4)I allow Remote Desktop and Plex  private and public .is it correct? In this way I should able to use them anyway or it is better for Plex uses the vpn?
5)Because I have a static Ip Can i set the firewall to use just this IP VPN for emule and qbtorrent?
 
6)

I allowed openconnect.exe,openvpn.exe and Torguard desktop  correct?


Share this post


Link to post
Share on other sites

Hello igna, welcome to the forums.

 

I have followed your tutorial but I have some queries.

I am using the following software on my server :
Emule,QBtorrent, Desktop remote,Teamview,Plex
I asked Torguard to open port so I have a static IP.



I set Torguard to arm killswitch and I select interface ethernet
This setting is a pain. If the vpn is disconnect I can use remote desktop because ethernet card is off but at least I thought it was safe.
Unfortunately I came accross a problem with Torguard client. One day It has been shutting down without notice.
Emule passed to use ethernet instead ethernet 2 (VPN) So I was exposed


Using a software or hardware firewall is usually the best way to go for locking down your network.
 

1)By using this tutorial I dont need to arm killswitch ?But maybe it can be a good idea use app kill on Torguard and in another app like VPNwatcher to add security

 

The firewall will instantly close all connections when the VPN disconnects, while the TorGuard killswitch only disables your network interface(s).

Layering your OS with software that does the same thing will not add security, it will likely make it less secure.

If you just need a killswitch, Windows Firewall will do the job fine, as long as you monitor and maintain it.
 

2)Qtorrent doesnt need that because it use always ethernet 2 ?

 

qBittorrent has the ability to bind it's self to a network interface and or IP address, essentially acting as a killswitch. You can use both, to harden your setup further.
 

3)should we create rules on inbound as well?

 

Inbound rules are only for if the device in question is acting as a server, and has other remote devices connecting to it. In your case, you will have to create or enable rules to allow connections to come through to your server (RDP etc).
 

4)I allow Remote Desktop and Plex private and public .is it correct? In this way I should able to use them anyway or it is better for Plex uses the vpn?

 

Yes, note, if you set RDP and Plex to the private profile, it will allow connections even while you are disconnected from the VPN; if you are connecting through TorGuard's dedicated IP, then you will want to only set the profile to public.

 

If you are connecting to Plex from over the internet and not from your local network, I would use VPN.
 

5)Because I have a static Ip Can i set the firewall to use just this IP VPN for emule and qbtorrent?

 

Well, by default, if you followed this guide, all your programs should only use your VPN connection as long as they were not previously assigned the Domain/Private profile. You can create a rule setting the local and remote ip addresses under "Scope".
 

6)I allowed openconnect.exe,openvpn.exe and Torguard desktop correct?

 

Yep, you want all the TorGuard executables to be able to connect on all Profiles (Private/Domain/Public).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×