How to Build your own VPN kill switch in Windows using Comodo

Many people use the best VPN services to protect themselves from copyright enforcement bullies, but a perennial danger when doing so is of the VPN connection going down, leaving BitTorrent traffic exposed for the world to see.

Some VPN providers, such as Private Internet Access , Mullvad , and VPNArea , (for the best VPN in 2018 check out our VPN reviews) include an internet kill switch in their VPN clients (VPNArea even includes a per-app kill switch), and we have discussed other third party solutions to the problem before.

There is however, another more direct way to - roll your own kill switch (either global, or per-app) using a Firewall.

Using the built-in Windows Firewall

In Windows 7 it is quite easy to set up a kill switch using the built-in Firewall.

In Windows 8.x things are trickier because the Network and Sharing Center does not allow you to change Network type from Home to Public. We also could not get Windows 8.1 to display our OpenVPN connection in the Network and Sharing Center.

The first problem can be solved by following these instructions, and should work fine for PPTP and L2TP connections. We were unable to resolve the second however, so we turned to Comodo Firewall.

The rest of this tutorial assumes that you are using OpenVPN (it shouldn't matter whether via a custom VPN client or the basic open source one).

Using Comodo Firewall

Comodo Firewall is a free stand-alone Firewall, that unlike the basic Windows one, which only monitors incoming connections, also monitors all outgoing connections (very useful for blocking viruses that have infected a computer from ‘dialing out’, and commercial software that likes to ‘call home’ from verifying its authenticity).

Comodo Firewall can be downloaded from here. For the process below to work, you will need to disable Windows Firewall once Comodo is installed.

1. Establish your VPN’s physical address

With your OpenVPN connection up and running,  Start -> type ‘CMD’. Type ipconfig /all at the command prompt and scroll through until you see the section labeled TAP-Win32 (or TAP-Windows Adapter). Note the Physical Address, and keep the window open for reference.


cmd

2. Create a new Network Zone.

a)      Start Comodo Firewall and head for Advanced view (icon on the top left) -> Firewall -> Network Zones. Click on the little arrow at the bottom of the Comodo window, and select Add -> New Network Zone


comodo 1

b)      Give your new zone an appropriate name, and click OK.


comodo 2

c)       Select your new network created zone, Add -> New Address


comodo 3

d)      Select Type: Mac Address, and enter the Physical Address you noted in Step 1. Click OK.


comodo 4

3. Make a Ruleset

a)      Navigate in Comodo to Firewall -> Rulesets, and click ‘Add’.


comodo 5

b)      Name the new Ruleset, and click Add.


comodo 6

c)   Select the following settings:

  • Action: Block
  • Protocol: IP
  • Direction: In or Out
  • Source Address: Any Address
  • Destination Address: Any Address


comodo 7

Click OK.

d)      Create another two rules with the following settings:

  • Action: Allow
  • Protocol: IP
  • Direction: Out
  • Source Address: Network zone / your zone
  • Destination Address: Any Address

e)      Repeat again with the following settings:

  • Action: Allow
  • Protocol: IP
  • Direction: In
  • Source Address: Any Address
  • Destination Address: Network Zone / your newly created network zone (in our example VPN Zone)

You should now see 3 lines in your Custom Ruleset - 2 green ones, followed by 1 red one (in the order shown below) - the order in which these rules appear is important, as it is the order in which they are applied. You can change the order by dragging the rules with your mouse, or by selecting a rule and using 'Move Up' or 'Move Down' from the menu (arrow at the bottom).


comodo 8

4. Apply rule to programs

a)      Navigate to Firewall -> Application Rules, and either find the application you want to force to use VPN (if there is already a Firewall rule set for it), or ‘Add’ a new one (click the arrow at bottom of the window for fly-up menu).


comodo 9

b)     ‘Browse’ to location of the program to wish use (using any the File Groups or Running Processes filter)

c)      Click the ‘Use Ruleset’ radio button, and select your VPN Ruleset. Click ok. Here we have applied the Ruleset to Google Chrome, but it can also be applied to programs such uTorrent.

5. Test the application to make sure everything works.

We found a re-boot of the PC was required.

Global Kill Switch

You can instead keep things simple, and elect to set a ‘Global’ kill switch, which will cut of all your PC’s internet access when not connected to your VPN. To do this, navigate to Firewall -> Global Rules, and Add the same 3 rules we discussed in Step 3 ‘Make a Ruleset’. These may conflict with existing Firewall rules, some of which may have to be removed (a bit of trial and error may be needed here).

For more information about staying secure online take a look at our best vpn for windows 10 guide.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

104 Comments

  1. Thomas

    on July 2, 2019
    Reply

    Fantastic thorough article Douglas! Thank you so much for sharing this However I am wondering if there might not be one small weakness? By allowing a DNS server outside the VPN connection to resolve the VPN IP:s, do you not at the same time also create a small possibility for DNS leaks. Because if the VPN is disconnected then all programs are blocked like they should but the DNS server can still reach internet. Which means if you are in moment of trying to access a website when the VPN disconnects, that DNS query will be sent outside your VPN connection if you are not fast to recognize that the VPN is disconnected. Or this could leak information if you have programs running in the background like Torrents that continue to try to make DNS queries when the VPN is disconnected, which will then leak to the ISP. What do you think, maybe I have overlooked something?

    1. Douglas Crawford replied to Thomas

      on July 3, 2019
      Reply

      Hi Thomas, This setup blocks all internet connections outside of the VPN interface. This should include DNS queries, which will be routed through the VPN tunnel to be handled by the VPN provider. It should also include any torrent connections as DNS queries are only made when you attempt to contact an IP address. What it does not claim to provide is DNS leak protection when the VPN is working. Most clients these days have good IPv4 leak protection built-in anyway, although Ipv6 leak protection is often less robust. It is, therefore, a good idea to disable IPv6 in Windows as a precautionary measure.

      1. Thomas replied to Douglas Crawford

        on July 3, 2019
        Reply

        Ok I think I understand now. Thanks for the quick reply! But if also DNS is blocked outside the VPN interface, how is it possible to connect to the VPN in the first place? I imagine one must setup the VPN software to connect to a specific direct IP of the VPN (instead of telling it to make a DNS lookup for e.g. "servers.bestvpn.com" to find an IP to connect to)?

        1. Douglas Crawford replied to Thomas

          on July 5, 2019
          Reply

          Hi Thomas. Hmm. Good point, and to be honest I'm not sure. Its been a while since I had this setup in place and I was using a custom VPN client which probably connected directly to server IP addresses rather than server names. So as you say, DNS lookup shouldn't have been needed.

  2. Ciaran Farrell

    on May 10, 2018
    Reply

    This has worked well for me for a while but has stopped working in the last few days :( Any idea how to get it working again? Or of an alternative method?

  3. Bob Dye

    on April 9, 2018
    Reply

    Marcus, thanks for the article. I'm an old newbie, 79 years. I've set it up as you describe. After the reboot Comodo is running but I don't know how to check to see if it's working. Can/will you walk me through those steps. Using win 10 pro

    1. Douglas Crawford replied to Bob Dye

      on April 16, 2018
      Reply

      Hi Bob, I think you mean Douglas! :). To check the firewall is working simply turn off your VPN. You _should_ be unable to access the internet until you turn it on again.

  4. Josh

    on October 21, 2017
    Reply

    step 2d i must mark - exclude mac address, if i dont mark exclude, killswitch working on my normal connection, when i connect to vpn, all traffic is blocked. Im using windows on oracle system connected via L2TP protocol to my vps linux server, strange because this mac address is my mac address, when i check ipconfig /all with vpn connection i got the same mac address when i checking without vpn connection. Very strange..... i lost some hours to find wheres i make mistake, try everything. It just one option - exclude. But how this now works when i block my mac address on my non vpn connection :D

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.