How to Build your own VPN kill switch in Windows using Comodo

Many people use the best VPN services to protect themselves from copyright enforcement bullies, but a perennial danger when doing so is of the VPN connection going down, leaving BitTorrent traffic exposed for the world to see.

Some VPN providers, such as Private Internet Access, Mullvad, and VPNArea, (for the best VPN in 2018 check out our VPN reviews) include an internet kill switch in their VPN clients (VPNArea even includes a per-app kill switch), and we have discussed other third party solutions to the problem before.

There is, however, another more direct way to - roll your own kill switch (either global, or per-app) using a Firewall.

Using the built-in Windows Firewall

In Windows 7 it is quite easy to set up a kill switch using the built-in Firewall.

In Windows 8.x things are trickier because the Network and Sharing Center does not allow you to change Network type from Home to Public. We also could not get Windows 8.1 to display our OpenVPN connection in the Network and Sharing Center.

The first problem can be solved by following these instructions, and should work fine for PPTP and L2TP connections. We were unable to resolve the second, however, so we turned to Comodo Firewall.

The rest of this tutorial assumes that you are using OpenVPN (it shouldn't matter whether via a custom VPN client or the basic open source one).

Using Comodo Firewall

Comodo Firewall is a free stand-alone Firewall, that unlike the basic Windows one, which only monitors incoming connections, also monitors all outgoing connections (very useful for blocking viruses that have infected a computer from ‘dialing out’, and commercial software that likes to ‘call home’ from verifying its authenticity).

Comodo Firewall can be downloaded from here. For the process below to work, you will need to disable Windows Firewall once Comodo is installed.

1. Establish your VPN’s physical address

With your OpenVPN connection up and running,  Start -> type ‘CMD’. Type ipconfig /all at the command prompt and scroll through until you see the section labeled TAP-Win32 (or TAP-Windows Adapter). Note the Physical Address, and keep the window open for reference.

 

cmd

2. Create a new Network Zone.

a)      Start Comodo Firewall and head for Advanced view (icon on the top left) -> Firewall -> Network Zones. Click on the little arrow at the bottom of the Comodo window and select Add -> New Network Zone

 

comodo 1

b)      Give your new zone an appropriate name, and click OK.

 

comodo 2

c)       Select your new network created zone, Add -> New Address

 

comodo 3

d)      Select Type: Mac Address and enter the Physical Address you noted in Step 1. Click OK.

 

comodo 4

3. Make a Ruleset

a)      Navigate in Comodo to Firewall -> Rulesets, and click ‘Add’.

 

comodo 5

b)      Name the new Ruleset, and click Add.

 

comodo 6

c)   Select the following settings:

  • Action: Block
  • Protocol: IP
  • Direction: In or Out
  • Source Address: Any Address
  • Destination Address: Any Address

 

comodo 7

Click OK.

d)      Create another two rules with the following settings:

  • Action: Allow
  • Protocol: IP
  • Direction: Out
  • Source Address: Network zone / your zone
  • Destination Address: Any Address

e)      Repeat again with the following settings:

  • Action: Allow
  • Protocol: IP
  • Direction: In
  • Source Address: Any Address
  • Destination Address: Network Zone / your newly created network zone (in our example VPN Zone)

You should now see 3 lines in your Custom Ruleset - 2 green ones, followed by 1 red one (in the order shown below) - the order in which these rules appear is important, as it is the order in which they are applied. You can change the order by dragging the rules with your mouse, or by selecting a rule and using 'Move Up' or 'Move Down' from the menu (arrow at the bottom).

 

comodo 8

4. Apply rule to programs

a)      Navigate to Firewall -> Application Rules, and either find the application you want to force to use VPN (if there is already a Firewall rule set for it), or ‘Add’ a new one (click the arrow at bottom of the window for fly-up menu).

 

comodo 9

b)     ‘Browse’ to location of the program to wish use (using any the File Groups or Running Processes filter)

c)      Click the ‘Use Ruleset’ radio button and select your VPN Ruleset. Click ok. Here we have applied the Ruleset to Google Chrome, but it can also be applied to programs such uTorrent.

5. Test the application to make sure everything works.

We found a re-boot of the PC was required.

Global Kill Switch

You can instead keep things simple, and elect to set a ‘Global’ kill switch, which will cut off all your PC’s internet access when not connected to your VPN. To do this, navigate to Firewall -> Global Rules, and Add the same 3 rules we discussed in Step 3 ‘Make a Ruleset’. These may conflict with existing Firewall rules, some of which may have to be removed (a bit of trial and error may be needed here).

For more information about staying secure online, take a look at our best VPN for windows 10 guide.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

110 Comments

charl van der merwe
on May 24, 2020
Reply
Great article, the only hiccup was remembering to add the VPN connection to dial out on the first try, once that rule is in place it worked
Thomas
on July 2, 2019
Reply
Fantastic thorough article Douglas! Thank you so much for sharing this However I am wondering if there might not be one small weakness? By allowing a DNS server outside the VPN connection to resolve the VPN IP:s, do you not at the same time also create a small possibility for DNS leaks. Because if the VPN is disconnected then all programs are blocked like they should but the DNS server can still reach internet. Which means if you are in moment of trying to access a website when the VPN disconnects, that DNS query will be sent outside your VPN connection if you are not fast to recognize that the VPN is disconnected. Or this could leak information if you have programs running in the background like Torrents that continue to try to make DNS queries when the VPN is disconnected, which will then leak to the ISP. What do you think, maybe I have overlooked something?
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to Thomas
on July 3, 2019
Reply
Hi Thomas, This setup blocks all internet connections outside of the VPN interface. This should include DNS queries, which will be routed through the VPN tunnel to be handled by the VPN provider. It should also include any torrent connections as DNS queries are only made when you attempt to contact an IP address. What it does not claim to provide is DNS leak protection when the VPN is working. Most clients these days have good IPv4 leak protection built-in anyway, although Ipv6 leak protection is often less robust. It is, therefore, a good idea to disable IPv6 in Windows as a precautionary measure.
Thomas replied to Douglas Crawford
on July 3, 2019
Reply
Ok I think I understand now. Thanks for the quick reply! But if also DNS is blocked outside the VPN interface, how is it possible to connect to the VPN in the first place? I imagine one must setup the VPN software to connect to a specific direct IP of the VPN (instead of telling it to make a DNS lookup for e.g. "servers.bestvpn.com" to find an IP to connect to)?
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to Thomas
on July 5, 2019
Reply
Hi Thomas. Hmm. Good point, and to be honest I'm not sure. Its been a while since I had this setup in place and I was using a custom VPN client which probably connected directly to server IP addresses rather than server names. So as you say, DNS lookup shouldn't have been needed.
Ciaran Farrell
on May 10, 2018
Reply
This has worked well for me for a while but has stopped working in the last few days :( Any idea how to get it working again? Or of an alternative method?
Bob Dye
on April 9, 2018
Reply
Marcus, thanks for the article. I'm an old newbie, 79 years. I've set it up as you describe. After the reboot Comodo is running but I don't know how to check to see if it's working. Can/will you walk me through those steps. Using win 10 pro
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to Bob Dye
on April 16, 2018
Reply
Hi Bob, I think you mean Douglas! :). To check the firewall is working simply turn off your VPN. You _should_ be unable to access the internet until you turn it on again.
Show More Got Something to Say?

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

Longtime top ranked VPN, with great price and speeds

One of the largest VPNs, voted best VPN by Reddit

Strong presence, no-logs policy