ExpressVPN

Build your own VPN kill switch in Windows using Comodo

Update 03 March 2015: So… following various comments about this tutorial not working following the recent Comodo Firewall update, I concluded that it was borked, and promised to update it for the new version of Comodo.

However, I have just reinstalled the latest version of Comodo and followed these instructions almost exactly… and everything worked perfectly! The only change was that at the end of Step 3, the Ruleset Rules were listed in reverse order to how they are presented here (first rule at the bottom instead of the other way round), which I corrected. I am not sure, but this may be the result of the version change, so I have modified the tutorial accordingly. In any case, please ensure that the Firewall Ruleset rules are listed in the correct order shown in the tutorial.

Many people use VPN to protect themselves from copyright enforcement bullies, but a perennial danger when doing so is of the VPN connection going down, leaving BitTorrent traffic exposed for the world to see.

Some VPN providers, such as Private Internet Access, Mullvad, and VPNArea, include an internet kill switch in their VPN clients (VPNArea even includes a per-app kill switch), and we have discussed other third party solutions to the problem before.

There is however, another more direct way to – roll your own kill switch (either global, or per-app) using a Firewall.

Using the built-in Windows Firewall

In Windows 7 it is quite easy to set up a kill switch using the built-in Firewall. BolehVPN has some excellent instructions for doing so here.

In Windows 8.x things are trickier because the Network and Sharing Center does not allow you to change Network type from Home to Public. We also could not get Windows 8.1 to display our OpenVPN connection in the Network and Sharing Center.

The first problem can be solved by following these instructions, and should work fine for PPTP and L2TP connections. We were unable to resolve the second however, so we turned to Comodo Firewall.

The rest of this tutorial assumes that you are using OpenVPN (it shouldn’t matter whether via a custom VPN client or the basic open source one).

Using Comodo Firewall

Comodo Firewall is a free stand-alone Firewall, that unlike the basic Windows one, which only monitors incoming connections, also monitors all outgoing connections (very useful for blocking viruses that have infected a computer from ‘dialing out’, and commercial software that likes to ‘call home’ from verifying its authenticity).

Comodo Firewall can be downloaded from here. For the process below to work, you will need to disable Windows Firewall once Comodo is installed.

1. Establish your VPN’s physical address

With your OpenVPN connection up and running,  Start -> type ‘CMD’. Type ipconfig /all at the command prompt and scroll through until you see the section labelled TAP-Win32 (or TAP-Windows Adapter). Note the Physical Address, and keep the window open for reference.

cmd

2. Create a new Network Zone.

a)      Start Comodo Firewall and head for Advanced view (icon on top left) -> Firewall -> Network Zones. Click on the little arrow at the bottom of the Comodo window, and select Add -> New Network Zone

comodo 1

b)      Give your new zone an appropriate name, and click OK.

comodo 2

c)       Select your newly network created zone, Add -> New Address

comodo 3

d)      Select Type: Mac Address, and enter the Physical Address you noted in Step 1. Click OK.

comodo 4

3. Make a Ruleset

a)      Navigate in Comodo to Firewall -> Rulesets, and click ‘Add’.

comodo 5

b)      Name the new Ruleset, and click Add.

comodo 6

c)   Select the following settings:

  • Action: Block
  • Protocol: IP
  • Direction: In or Out
  • Source Address: Any Address
  • Destination Address: Any Address

comodo 7

Click OK.

d)      Create anothother two rules with the following settings:

  • Action: Allow
  • Protocol: IP
  • Direction: Out
  • Source Address: Network zone / your zone
  • Destination Address: Any Address

e)      Repeat again with the following settings:

  • Action: Allow
  • Protocol: IP
  • Direction: In
  • Source Address: Any Address
  • Destination Address: Network Zone / your newly created network zone (in our example VPN Zone)

You should now see 3 lines in your Custom Ruleset – 2 green ones, followed by 1 red one (in the order shown below) – the order in which these rules appear is important, as it is the order in which they are applied. You can change the order by dragging the rules with your mouse, or by selecting a rule and using ‘Move Up’ or ‘Move Down’ from the menu (arrow at bottom).

comodo 8

4. Apply rule to programs

a)      Navigate to Firewall -> Application Rules, and either find the application you want to force to use VPN (if there is already a Firewall rule set for it), or ‘Add’ a new one (click arrow at bottom of window for fly-up menu).

comodo 9

b)     ‘Browse’ to location of the program to wish use (using any the File Groups or Running Processes filter)

c)      Click the ‘Use Ruleset’ radio button, and select your VPN Ruleset. Click ok. Here we have applied the Ruleset to Google Chrome, but it can also be applied to programs such uTorrent.

5. Test the application to make sure everything works.

We found a re-boot of the PC was required.

Global Kill Switch

You can instead keep things simple, and elect to set a ‘Global’ kill switch, which will cut of all your PC’s internet access when not connected to your VPN. To do this, navigate to Firewall -> Global Rules, and Add the same 3 rules we discussed in Step 3 ‘Make a Ruleset’. These may conflict with existing Firewall rules, some of which may have to be removed (a bit of trial and error may be needed here).


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


75 responses to “Build your own VPN kill switch in Windows using Comodo

  1. Douglas, firstly thanks for a great write up.
    After installing Comodo Firewall and following the steps all applications I put in the VPNZone gets filtered correctly through the VPN and the traffic stops if the VPN disconnects.
    But when Sickbeard is in the VPNZone while trying to download a .nzb I get the following error: “Unable to connect to SAB: socket error : error [Errno 10013] An attempt was made to access a socket in a way forbidden by its access permissions”. As soon as I put Sickbeard under “Allowed Application” in Comodo Firewall it downloads the .nzb correctly. SABnzbd works as expected in the VPNZone.
    All hosts refers to 127.0.0.1 and not just localhost where Sickbeard and SABnzbd communicates.
    Can you perhaps clarify or give me a solution.

  2. I loved this guide and it was very useful to me for getting things set up the way I wanted.

    One additional thing I would like to point out though is that it may be useful to slightly modify the Ruleset in the guide to allow for loopback (localhost) traffic. Otherwise, you may have certain applications that attempt a loopback connection and fail causing hangs/crashes within those applications. I have seen this issue in Deluge (crash on startup / prevented magnet links in browser). I have also seen this with some single-player games; although for those I created a similar non-vpn ruleset.

    To do so, complete all of Step 3 above and then add one additional rule *ABOVE* the BLOCK rule:
    Action=Allow
    Protocol=IP
    Direction=In or Out
    Name=Allow 127.0.0.1 to 127.0.0.1
    SourceType=IPv4 Single Address
    SourceIP=127.0.0.1
    DestinationType=IPv4 Single Address
    DestinationIP=127.0.0.1
    (OK to save)

    For those that are not aware, 127.0.0.1 is equivalent to localhost. In older versions of Windows (XP etc), this was defined in the hosts file:
    C:\Windows\System32\drivers\etc\hosts

    On Windows 7 and up, you will notice a comment in the hosts file that says:
    “# localhost name resolution is handled within DNS itself.”

    I assume that this is referring to a virtualized DNS layer in the OS itself rather than an external DNS (mostly bc it wouldn’t make much sense for it to go out to the router for to lookup 127.0.01).

    The only security caveats associated with this approach that I can think of would be that if you were running some type of sensitive server/database/etc with a locally accessible port, then this type of rule would might allow a process to attempt connections on that port. But you could always define multiple Rulesets and explicitly specify which apps have loopback+vpn and which have only vpn.

    1. Hi rabamigov,

      Thanks! I have not encountered any loopback issues due to localhost traffic myself, but your solution sounds great for anybody that does. I am not currently running this setup, but next that that I do, I will try adding this rule (and update this article accordingly).

  3. I’m Having a little problem. I use PIA as a VPN, but was not happy with there client (hates firewalls and you need to hack it to use Comodo). So I set up OpenVPN to use their service. Set Comodo up step-by-step as per the instructions here, and on a fresh machine with just Comodo, Chrome and OpenVPN (plus TAP driver, but thought that was a given), but when the firewall is up, nothing. Disconnect from the VPN and try to reconnect, I get “RESOLVE: Cannot resolve host address: us-west.privateinternetaccess.com: No such host is known. ” Disable Firewall, everything works like it should, as far as VPN connecting and browsing goes. Killswitch dead since Firewall is disabled.

    Here’s what I have:
    Application Rules – Chrome.exe as Web Browser and OpenVPN as Allowed Application. Rest are default.
    Global Rules – Set as pic (In from MAC to VPN Zone, Out from VPN Zone to MAC, Block in/out from MAC to MAC; in that order from top to bottom). Nothing Else.
    Rulesets – Default (Web Browser, Email, FTP, Allowed, Blocked, and Outgoing Only)
    Network Zones – VPN Zones only set to MAC Address of TAP-Windows Adapter V9.

    This is going to be for an automated HTPC, so I want the VPN up when communicating to the outside and net down when VPN is not up.

    1. Hi Adrian,

      Hmm. Well you shouldn’t need a special Application Rule for OpenVPN itself. For application that you want to use the kill switch with, simply Use Ruleset > VPN ruleset. No other configuration should be necessary (i.e I think you might be doing something wrong with “Rulesets – Default (Web Browser, Email, FTP, Allowed, Blocked, and Outgoing Only)”.

  4. Hey, Which version were you using ? Downloaded the current version of Comodo and it doesn’t even have an advanced view option that’s remotely closed to the one you presented in the tutorial. Might have to search for an old version, as the current on is crap, but dunno which version were you using

    1. Hi Comon DO,

      I have just downloaded and installed the latest version of Comodo Firewall Free (version 8.2.0.5005). To access the screens shown in this tutorial, open the main Comodo Firewall window (double-click icon in notification bar) -> Advanced view (icon on top left – see screeenshot) -> Firewall (see screenshot). It’s all there!

      1. I followed the guide and triple checked everything and my connection won’t work at all with this. The VPN connection won’t work, nor will my normal connection. If i only enable the firewall while connected to the VPN, it will just freeze up and nothing will load. I tried changing the first block rule to only block main my home network adapter’s mac address, but it allowed everything to go through still. So it seems like maybe the mac address thing doesn’t work in windows 10?

        1. Hi helpme,

          Although I have yet to test it, as far as I know everything should work just the same in Windows 10. The fact that Comodo freezes when enabled while you are connected to your VPN makes me wonder if your VPN client is running its own firewall (with conflicting rules). If so, this could cause Comodo to crash, and likely supersede the rules you have set up in Comodo. Does your VPN client offer DNS leak protection or its own kill switch of any kind?

    1. Hi me,

      This is something I may look into for an article in the future, but for general guidelines, please see here.

  5. I haven’t been able to get this to work with Comodo 8.2.0.5027 under Windows 7 Pro x64. uTorrent doesn’t upload or download with the rules in place, but it’s fine without them. I have deleted and recreated the Network Zone, Ruleset and Application Rule several times. I tried disabling ipv6. I tried using an IP range instead of a MAC address for the Network Zone. The VPN Ruleset and the Application Rule appear correct. I have used the instructions in this tutorial successfully at least twice under XP, so I doubt that I performed them incorrectly every time on this system. What else could be wrong, and how do I troubleshoot the problem?

    Thanks,

    Loren

    1. Hi Loren,

      Hmm. The only thing that comes to mind is that I was using Win 7 Pro x64 when I wrote the first version of this article. In it, at the end of Step 3, the Ruleset Rules were listed in reverse order to how they are presented here (first rule at the bottom instead of the other way round). Could there possibly some quirk in Win 7 that requires a change in how the rules are ordered? As for troubleshooting, have you tired to apply the rules as a global firewall?

      1. Hi Douglas,

        With all of the firewall changes and reboots, Windows Update went haywire. I gave up, reformatted the drive again and reinstalled Windows 7 Pro again. The kill switch works now. I never figured out why it wouldn’t work on the previous fresh install of Windows 7 Pro. Isn’t Windows fun?

        Thanks for your help,

        Loren

        1. Update: Upgraded hardware and reinstalled Windows 7. I’ve been through 3 fresh installs with no success at getting the kill switch to work. uTorrent doesn’t connect even when the VPN is connected. (On the last install, t MIGHT have been working at first and failed when Comodo installed updates; I’m not sure.) I think that the Comodo kill switch only works for some subset of hardware and software configurations.

          1. Hi Loren,

            I am sorry these instructions didn’t work for you. All I can say is that they did for me, and seem to have for others.

  6. Here’s my question — it might have an obvious answer. This method works and is elegant. BUT, Comodo is ALSO my regular firewall! Is there a simple method to switch it to “kill switch” mode when I wish to use it that way, and to “regular” mode when I’m not using a VPN but would like regular firewall protection?

    1. Hi Richard,

      Please be aware that I no longer have Comodo Firewall running this configuration, and so have not tested the suggestions listed below.

      1) Under Firewall -> Network Zones simply disable (uncheck) the VPN network zone you created in stage 2a.
      2) If you are using a global firewall, go to Firewall -> Global Rules, and disable the individual rules.
      3) The most elegant solution is probably to only apply the rules to specific apps, and use those apps only when you want kill switch protection. For example, apply the rules to your BitTorrent Client and Firefox, and use Chrome to surf the internet at other times. You other apps will obey your regular firewall rules, and will be unaffected by the kill switch.

  7. So is there anyone who knows why qBittorrent keeps crashing during startup when applied the VPN Ruleset? When the ruleset isn’t applied the program runs perfectly. However, Chrome and JDownloader works without any problems with the ruleset applied. It seems to be an issue that is only occuring on Windows 7 (Phil has the same problem). I have tried this guide on Windows 8.1 and it works perfectly without any issues including qBittorrent.

    And qBittorrent won’t work even when the ruleset is applied as Global. Also Deluge (another torrent program has same problem).

    1. To those that have the same problem I never found a solution, so I decided to reinstall Windows 8.1 and qBittorrent works with the ruleset applied without any problems.

  8. Does not work with Utorrent. It does block any new downloads, rss feeds etc but existing download first slow down and then continue like nothing happened. Tracker connections are blocked, but it still gets peers somewhere. First I thought it was DHT, but it does this with DHT disabled as well.

    1. Hi Crowley,

      I’m not sure what’s happening on your system, but I tested this specifically with uTorrent, and it worked well then…

      1. I actually found out what the problem was. IPv6. After I set the following commands:
        netsh interface ipv6 set privacy state=disable
        netsh interface ipv6 6to4 set state state=disabled
        netsh interface ipv6 isatap set state state=disabled
        netsh interface ipv6 set teredo disabled

        The “kill switch” works as intended. Not sure if all of those are needed.

        1. Hi Crowley,

          That’s great! I might have a bit of a blind spot when it comes to IPv6, as I disable it as a matter of course.

  9. Thank you very much Douglas!

    Works on all applications (i.e. firefox, google drive, etc.) but in utorrent (i have applied the same rule set as for the rest).

    Do you have any idea why this could be happening?

    Thank you in advance in for your time and help.

    1. Hi Mike,

      I’m glad that you’ve got it working! Re. uTorrent, I would guess that the new rule set is conflicting with some previously established rules for the program…

  10. Hello Douglas,

    Thank u for the article. No luck here. Whether i connect or disconnect my VPN, my connection’s physical address does not change.

    Any suggestions?

    Thanks a lot

    1. Hi Mike,

      That is correct, the physical address will not change, but you should see additional information when connected to your VPN (such as the IPv4 address and subnet mask.)

  11. Hi Douglas!
    This may look like a dumb question but I haven’t found a way around this so far.
    How can you re-connect your VPN if the kill switch disabled your internet connection?
    I entered the three rules you mentionned above. They worked well when I used them to block a specific application (ex. chrome). However, Qbittorent kept crashing when I applied the ruleset to it’s .exe and I couldn’t get it to work. I then thought ” Well, I could make OpenVPN start with windows and just roll with my VPN all the time.” Problem is (and that might be where I overlooked something dumb), Comodo kills my entire internet connection when OpenVPN disconnect (which is what a kill switch is for) but I can’t connect to my VPN again since, i’m not connected to the internet at all. I would guess I need an other rule to allow the VPN to access the internet while everything else can’t? I’m running on Windows 7 ultimate, VPN provider is PIA but I prefer to use OpenVPN instead of their client.

    Thanks!

    1. Hi Phil,

      Assigning the 3 rules to ‘Global Rules,’ does do not actually ‘kill’ your internet connection, but only prevents all non-VPN traffic passing connection through the firewall. If you temporally disable the Firewall, you should be able reconnect with OpenVPN (then re-enable Comodo). This can be easily done with simple right-click on Comodo’s Notification Bar icon.

      1. But to make life easier, maybe it can be done in that way, that you can somewhere add an exepction that openvpn or any software you use can connect to the internet

          1. You are being unesserly mean… I’m just saying that turning off firewall to reconnect is a) incovinient b) not safe, and because of that it’s not make any sense in case of privacy, because when you turn it off for a while than all you internet activity will be visible for a while, utorrent for example can start sending and recieveing for that while when you trying to reconect to vpn

          2. Hi John,

            I was knocking my own dimness for not thinking of this myself! No meanness intended (except maybe self-inflicted)! You are completely right that making a firewall rule white-listing OpenVPN etc. is a better solution than my suggestion. Thanks for suggesting it!

    1. Hi Howard,

      I’m not sure if I correctly understand your question, but unlike PIA, the client IPVanish does not include a kill switch. If you would like a kill switch for OpenVPN on Mac OSX, I believe this is possible using the Viscosity client. TorGurad has some great instructions for setting this up here (this should work with any VPN provider.)

      1. My Bad I failed to mention sooo may things lol.

        Firstly my OS Win 10 x64, secondly I switched from PIA to Ipvanish recently and used your tutorial above to make a “kill switch” when I had PIA. But unless I have something set up completely wrong You’re tutorial is useless to me now that use IPvanish cause it seems not to change my Physical Address whether I’m connected to it or not.

        1. Hi Howard,

          Ah-ha! That is much clearer. Thanks. Unfortunately, I don’t know why using IPVanish does not cause the physical mac address to change… as it uses OpenVPN I would have thought it would. Strange. It might be possible to configure your Firewall some other way to act as a kill switch, but off the top of my head I don’t know it.

          1. The tutorial works just fine with IPVanish, openVPN gets a MAC as an ethernet adapter that is working or not, why should the MAC change 🙂 Anyway, tested with lots of VPN on off, works (thanks for the tutorial)

  12. I have a really strange thing happening. I set everything up. Rebooted. I use openVPN GUI to connect to my open VPN however with these rules set the openVPN does nothing. Nothing gets written to the status file, it just sits there. I guess i’m not allowing it correctly somehow?

    I tried a rule in application rule to let OpenVPN communicate in all ways but that didn’t work either.

    1. Hi Jason,

      Without being able to look at your system it is difficult to know where the problem lies. I have now run this setup a couple of times on my system without problem, so all I can suggest is again going through the steps carefully from the top…

  13. Hi,

    Rules work perfectly for me – thanks.

    The only issue I’m having is that ‘check your torrent ip’ tools no longer work – for example if I add the ipMagnet torrent, it just gives me an error message: “No connection could be made because the target machine actively refused it”

    Any thoughts? Slightly nervous that I can’t check bittorrent isn’t giving away my IP…

    1. Hi Ryan,

      Hmm… interesting!Is your BitTorrent client working normally (I don’t see why the firwall would prevent the ipMagnet tracker)? If your IP address shows your VPN IP normally in ipleak.net, and your BitTorrent client stops downloading/uploading when you disconnect the VPN, then you should be good…

  14. Please give me a simple way from being tracked when I am on my computer. I just want privacy when I am on the Internet; no matter what I am doing. I like to shop a lot and do my banking and don’t want to be watched. I am new at this. So, help!

  15. This is maybe a dumb question, but all this is new to me. Background info: I have a VPN installed which offers me a choice of many servers whenever I connect to it, and each server assigns me a different IP address once its connected. Ive had the VPN fail on me a time or 2, and also forgotten to shut down torrent program before putting pc to sleep, meaning its still running (but VPN usually is down) upon wakeup.

    To prevent DNS leakage, I installed Comodo and set up per this tutorial. It seem to be working, the torrents connect and download when the VPN is connected, and it doesnt seem to matter which server/new-IP im connected to. Next I tested by disconnecting the VPN with the torrent program active. Oddly, the torrents did not stop instantly. Even though the VPN said disconnected, the torrents continued to DL for 15 or 20 seconds before the program came to a halt, and then started up again when I reconnected the VPN. Is this a concern? Is it actually stopping only when it loses the secure connection or is it actually continuing for a while? How would I check that?

    Thx!

    1. Hi Bob,

      Assuming the firewall is correctly configured, then traffic from the programs where the VPN-only rules are applied can only connect to the internet through the VPN tunnel (the fact that the torrents do stop when you disconnect the VPN demonstrates that everything is working well.) I think the delay is simply in how BitTorrent clients handle incoming data… no new data should be able to get through the firewall…

  16. Thank you for this. Everything seems to be working fine following your easy to understand tutorial. I am very new to VPNs (like I started using one yesterday) and this was perfect for my complete lack of knowledge.

    Can you please point me in the direction of an equally easy to understand tutorial for stopping dns leaks.. I don’t know why but changing the dns settings in my router doesn’t work at all it always reverts back to the ISP DNS server settings (yes I remembered to save the settings). I’m at a real loss here.

    Again thanks!

      1. Hi Douglas,

        Please ignore my first post, everything is working fine now. It turned out I didn’t follow one of your points correctly and that was the problem. I redid everything and now there are no DNS leaks! You’re the man!

        One thing I noticed by chance is while using my VPN I disconnected from a server and attempted to connect to a different server before it had finished properly disconnecting which caused the VPN to hang – it was stuck on the ‘disconnecting’ notification. That forced me to close the VPN altogether yet before I could start it back up my torrent client (which had been running the whole time) continued to operate normally yet it was now using an ISP assigned IP and Comodo didn’t detect the change. Just to be sure Comodo was working properly I restarted the torrent client and Comodo blocked it from accessing the net (through my ISP), just like it should.

        So under that unusual set of circumstances Comodo was unable to detect a change in the connection. Having said that, it is highly unlikely it will happen again and I’m not even sure if I could repeat the process even if I wanted to. Either way that lead me to read your great article ‘5 ways to protect yourself when your VPN connection fails’ and now I’m using ‘VPNetMon’ which in conjunction with this awesome tutorial gives an extra layer of protection when the unforeseen happens.

        I just wanted to say thanks for your great tutorials that really help a layman like me navigate their way through VPNs!

        1. Hi Andrew,

          Thanks! I’m glad everything is working now, and its a good catch to spot where Comodo falls down. Users should be aware that things can always go wrong and not work as they should…

  17. i gave this ruleset to 3 applications and the 3 applications are working just fine, they automatically stop any internet traffic in the exact moment of the vpn disconnection.
    I had the applications installed in other different computer to just to check the ip i am showing, and i only show relakks ip, when ever i disconnect the vpn i stop showing any ip.

    maybe my english, or maybe i did not explain my self very good….

    when i give this rule to a torrent application the torrent application will not have any traffic at all, clearly the application is gonna be fully blocked:

    *Action: Block
    *Protocol: TCP or UDP
    *Direction: In or Out
    *Source Address Type:Any
    *Destination Address Type:Any
    *Source Port Type:Any
    *Destination Port Type Any

    when then i place the following exception allow rule over the block rule:

    *Action: Allow
    *Protocol: TCP or UDP
    *Direction: In or Out
    *Source Address Type:IPv4 Address Range
    -Start IP: 093.182.128.000
    -End IP: 093.182.191.255
    *Destination Address Type:Any
    *Source Port Type:Any
    *Destination Port Type Any

    will allow traffic only when the :IPv4 range is within that 1 (my vpn provider)

    i made few tests and its working, i do not understand why u say is not correct, your tutorial is to apply connection kill switch to an application, is just what i did, if u still think that i can leak my real ip that way when the vpn drop the connection… please explain me why.

    again, thx for your time.

    1. Hi earblock,

      I’m glad this setup is working for you, and until I have the time to re-examine this tutorial in detail, any comments I make here are off-the-cuff and should be regarded as provisional. However, I do think your first rule is flawed:

      ‘*Action: Block
      *Protocol: TCP or UDP
      *Direction: In or Out’

      This means that you are blocking all TCP and UDP traffic. Both TCP and UDP are versions of OpenVPN (see https://bestvpncom.wpengine.com/blog/7359/openvpn-tcp-vs-udp-difference-choose/), so in your first rule you are blocking OpenVPN traffic (not IPv4), and then in your second rule you are allowing OpenVPN traffic within your VPN provider’s IP range. What you do not seem to be doing at any point is blocking non-OpenVPN traffic (which is rather the point of this exercise).

      That said, if your tests show this configuration to be working, then who am I to argue?

  18. do not seem to work in the last version 🙁
    following your tutorial the filtered applications do not get access with or without vpn on

    any ways and off course than x a lot for your efforts

    1. Hi earblock,

      Thanks. It seems that the latest update to Comodo has borked this tutorial. I will try to publish an undated version soon, but in the meantime perhaps the solution put forward by Reed (see comment above) may help?

      1. hey brother, thx for answering so fast 😉
        i am using the proxy “relakks” and i solved it this way:

        i did not made a new network zone so i did not needed the MAC address.
        the rest exactly the same as in your nice explanation but with only 2 rules:

        *Action: Block
        -(checked Log as firewall event if this rule is fired)
        *Protocol: TCP or UDP
        *Direction: In or Out
        *Source Address Type:Any
        *Destination Address Type:Any
        *Source Port Type:Any
        *Destination Port Type Any

        *Action: Alow
        *Protocol: TCP or UDP
        *Direction: In or Out
        *Source Address Type:IPv4 Address Range
        -Start IP: 093.182.128.000
        -End IP: 093.182.191.255
        *Destination Address Type:Any
        *Source Port Type:Any
        *Destination Port Type Any

        (off course the allow action must show up over block action, i wrote them that way cos if u introduce them in the firewall in that order probably u will get at the end the right order ´cos seems that the new rules are placed over by default)

        about the ip range of my provider i cant be 100% sure if is that 1 the 100% correct 1, so researching i found few different ones.
        well i appreciate in advance if u tell me for sure that with this configuration my real ip will not leak, it seems to be working perfectly but i am still a bit “nubby” in protocols 🙂

        1. Hi earblock,

          Hmm… I’m afraid that I don’t think that is right. You need the MAC address in order to block all traffic entering and leaving your PC (and then add VPN traffic as an exception). I think your rules simply block all OpenVPN traffic (TCP or UDP) except that within the IP range of your VPN provider. What your suggestion does not seem to do block regular internet traffic, which is the purpose of this tutorial. Following the recent holiday I have something of a backlog of work to get through, but I will update this article as soon as I have time.

  19. I tried this tutorial but was unable to get it to work as per the instruction with the latest version of Comodo. After a lot of headache I figured out I can just create a single custom rule for any application based on the current IP of your VPN. This of course has the disadvantage of having to alter the custom rule if the IP changes.

    Here is what worked for me creating a custom rule for an application

    Action: Block
    Protocol: IP
    Direction: In or Out
    Source Address: Any Address
    Destination Address: Any Address

    * Check exclude
    Type: Single IPv4
    IP: You current IP address assigned by your VPN

    1. Hi Reed,

      Thanks for the comments, and I am sorry that you had such trouble. The tutorial was correct I wrote it, but I am aware that Comodo has updated its software since then. When I have a little time I will take a look and make any changes necessary to this tutorial, but in the meantime I hope the results of your headache will be useful to other readers.

      1. Tried out Reed’s fix. It doesn’t seem to work for me. Applying this single rule blocks my uTorrent access.

        Hope you come up with an updated tutorial soon – the information here is fabulous and I’ve learned a lot!

        1. Hi JDawg,

          Given the interest this article seems to be generating, look out for an updated version in the next week or so…

      2. Thanks Douglas and Reed, this works great for me.
        A workaround if your local VPN IP changes is to just use an IP range.
        Usually you’ll be on 10.x.x.x
        So I found that using the range: 10.0.0.0 to 10.255.255.255 should work just fine for every case.

  20. This method seems the best, by far, seeing as it allows the freedom of as many individual internet (vs program) kill switches as you desire! But, I’m curious as to how I could alert myself that my vpn (or torrent connection) has gone down, while away from my pc.

    I’ve heard some users mention Push bullet for this. What are your thoughts?

    1. Hi Niaz,

      Almost every VPN client (including the generic open source ones) will display a different notification icon when connected and when not connected (usually green for connected, red for disconnected). If a VPN goes down when you are away from your computer, it should therefore be easy to tell this at a glance as soon as you return to your computer.

      If you want a notification sent to your phone so that you know instantly, I do not know of a solution (I am not familiar with Pushbullet, but browsing the website I do not think this is the answer, as it just sends phone notifications to your browser, and allows you to send files from your computer to your phone).

      If your main interest is torrents and you have an Android phone, then µTorrent Remote (https://play.google.com/store/apps/details?id=com.utorrent.web) allows you access and remotely control your µTorrent downloads on your home computer from your phone (and will allow you see that uTorrent has stopped downloading)…

  21. Hi Douglas,

    Thanks for the post very helpful! It didn’t initially work for me as my VPN adapter didn’t show a physical address (not sure why? I’m just using windows 7 VPN settings) so I turned the rules around. Create one allow all in & out and then block in from my mac address to any and from any to the mac address. Not sure if that caries additional risk because i’m allowing all connections for that particular program? Otherwise i’m not sure how to find the right physical address? Would love to hear from you, thanks.

    Alex

    1. Hi Alex,

      I’m pretty sure that the ipconfig command works just the same in Win7 as in Win8.1, although I do not have a Win7 computer to hand to check this. If you would like to send a screenshot of your ipconfig results to douglascr@wford.co.uk, I can have a quick look to make sure that you are not missing something.

      As for the firewall rules – I think you have it all wrong (although I may very well be getting confused or misunderstanding you). The idea is to block all traffic that does not go through your VPN – without knowing your VPN Mac address I don’t see how this is possible. Simple test – does a program connect to the internet only when VPN is running properly? If so, then there should be no additional security risks.

  22. This Comodo Firewall method only stops connections going in and out of the specified program except through your VPN, correct?
    I does not, on the other hand, close any sort of application you’ve selected to filter. I.E. Your torrent application will stay running but will not have any active connections.

    1. Hi Jill,

      That is correct. If you want to actually close a program when your VPN connection drops then you can use something like VPNetMon (bestvpncom.wpengine.com/blog/5142/5-ways-to-protect-yourself-when-your-vpn-connection-fails/) or VPNWathcher (bestvpncom.wpengine.com/blog/8662/protect-vpn-disconnects-vpn-watcher-review/).

Leave a Reply

Your email address will not be published. Required fields are marked *