Douglas Crawford

Douglas Crawford

June 25, 2014

Many people use VPN to protect themselves from copyright enforcement bullies, but a perennial danger when doing so is of the VPN connection going down, leaving BitTorrent traffic exposed for the world to see.

Some VPN providers, such as Private Internet Access, Mullvad, and VPNArea, (for the best VPN in 2018 check out our VPN reviews) include an internet kill switch in their VPN clients (VPNArea even includes a per-app kill switch), and we have discussed other third party solutions to the problem before.

There is however, another more direct way to – roll your own kill switch (either global, or per-app) using a Firewall.

Using the built-in Windows Firewall

In Windows 7 it is quite easy to set up a kill switch using the built-in Firewall. BolehVPN has some excellent instructions for doing so here.

In Windows 8.x things are trickier because the Network and Sharing Center does not allow you to change Network type from Home to Public. We also could not get Windows 8.1 to display our OpenVPN connection in the Network and Sharing Center.

The first problem can be solved by following these instructions, and should work fine for PPTP and L2TP connections. We were unable to resolve the second however, so we turned to Comodo Firewall.

The rest of this tutorial assumes that you are using OpenVPN (it shouldn’t matter whether via a custom VPN client or the basic open source one).

Using Comodo Firewall

Comodo Firewall is a free stand-alone Firewall, that unlike the basic Windows one, which only monitors incoming connections, also monitors all outgoing connections (very useful for blocking viruses that have infected a computer from ‘dialing out’, and commercial software that likes to ‘call home’ from verifying its authenticity).

Comodo Firewall can be downloaded from here. For the process below to work, you will need to disable Windows Firewall once Comodo is installed.

1. Establish your VPN’s physical address

With your OpenVPN connection up and running,  Start -> type ‘CMD’. Type ipconfig /all at the command prompt and scroll through until you see the section labelled TAP-Win32 (or TAP-Windows Adapter). Note the Physical Address, and keep the window open for reference.

cmd

2. Create a new Network Zone.

a)      Start Comodo Firewall and head for Advanced view (icon on top left) -> Firewall -> Network Zones. Click on the little arrow at the bottom of the Comodo window, and select Add -> New Network Zone

comodo 1

b)      Give your new zone an appropriate name, and click OK.

comodo 2

c)       Select your newly network created zone, Add -> New Address

comodo 3

d)      Select Type: Mac Address, and enter the Physical Address you noted in Step 1. Click OK.

comodo 4

3. Make a Ruleset

a)      Navigate in Comodo to Firewall -> Rulesets, and click ‘Add’.

comodo 5

b)      Name the new Ruleset, and click Add.

comodo 6

c)   Select the following settings:

  • Action: Block
  • Protocol: IP
  • Direction: In or Out
  • Source Address: Any Address
  • Destination Address: Any Address

comodo 7

Click OK.

d)      Create anothother two rules with the following settings:

  • Action: Allow
  • Protocol: IP
  • Direction: Out
  • Source Address: Network zone / your zone
  • Destination Address: Any Address

e)      Repeat again with the following settings:

  • Action: Allow
  • Protocol: IP
  • Direction: In
  • Source Address: Any Address
  • Destination Address: Network Zone / your newly created network zone (in our example VPN Zone)

You should now see 3 lines in your Custom Ruleset – 2 green ones, followed by 1 red one (in the order shown below) – the order in which these rules appear is important, as it is the order in which they are applied. You can change the order by dragging the rules with your mouse, or by selecting a rule and using ‘Move Up’ or ‘Move Down’ from the menu (arrow at bottom).

comodo 8

4. Apply rule to programs

a)      Navigate to Firewall -> Application Rules, and either find the application you want to force to use VPN (if there is already a Firewall rule set for it), or ‘Add’ a new one (click arrow at bottom of window for fly-up menu).

comodo 9

b)     ‘Browse’ to location of the program to wish use (using any the File Groups or Running Processes filter)

c)      Click the ‘Use Ruleset’ radio button, and select your VPN Ruleset. Click ok. Here we have applied the Ruleset to Google Chrome, but it can also be applied to programs such uTorrent.

5. Test the application to make sure everything works.

We found a re-boot of the PC was required.

Global Kill Switch

You can instead keep things simple, and elect to set a ‘Global’ kill switch, which will cut of all your PC’s internet access when not connected to your VPN. To do this, navigate to Firewall -> Global Rules, and Add the same 3 rules we discussed in Step 3 ‘Make a Ruleset’. These may conflict with existing Firewall rules, some of which may have to be removed (a bit of trial and error may be needed here).

For more information about staying secure online take a look at our best vpn for windows 10 guide.

Douglas Crawford
July 17th, 2018

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

100 responses to “Build your own VPN kill switch in Windows using Comodo

  1. This has worked well for me for a while but has stopped working in the last few days 🙁

    Any idea how to get it working again? Or of an alternative method?

  2. Marcus, thanks for the article. I’m an old newbie, 79 years. I’ve set it up as you describe. After the reboot Comodo is running but I don’t know how to check to see if it’s working. Can/will you walk me through those steps. Using win 10 pro

    1. Hi Bob,

      I think you mean Douglas! :). To check the firewall is working simply turn off your VPN. You _should_ be unable to access the internet until you turn it on again.

  3. step 2d i must mark – exclude mac address, if i dont mark exclude, killswitch working on my normal connection, when i connect to vpn, all traffic is blocked.
    Im using windows on oracle system connected via L2TP protocol to my vps linux server, strange because this mac address is my mac address, when i check ipconfig /all with vpn connection i got the same mac address when i checking without vpn connection. Very strange….. i lost some hours to find wheres i make mistake, try everything. It just one option – exclude. But how this now works when i block my mac address on my non vpn connection 😀

  4. Hi

    Great article. However, I’m having some trouble with getting the setup to work. I want the global configuration, but when I enter the global rules you describe, my internet connection is dropped. Yes, dropped. I get a yellow warning triangle over the network icon. It works fine, as far as I can tell, for individual program. I even tried with adding the different vpn clients I have tried with as allowed programs but no change. Any ideas?

    1. Hi Marcus,

      Hmm. I don’t have Comodo setup now, and don’t really have time to set it up to have a look. Sorry! All I can say is that the Global kill switch definitely worked with these settings when I had it running…

    2. Hi again

      Finally got it to work. I assumed the results using Windows firewall would be in the same in 10 as in 8. Turned out this was not the case. Block all ingoing and outgoing connections for the private and domain network types, allow ingoing and outgoing connections for vpn client on all network types and voila.

      1. Hi Marcus,

        That’s cool. Thanks for sharing! In Windows 8.x it was not really possible because the Network and Sharing Center does not allow you to change Network type from Home to Public. I also could not get Windows 8.1 to display my OpenVPN connection in the Network and Sharing Center. Has this changed in Win10?

  5. Hi!

    Just tried this (Windows 10 Creators Update / Latest Comodo / my VPN provider) and it worked very well! Thanks for putting the guide out there and updated as well.

Leave a Reply

Your email address will not be published. Required fields are marked *