How to Build A VPN Kill Switch On Windows Using Comodo

Many people use the best VPN services to protect themselves while they're using P2P services such as BitTorrent, but a perennial danger when doing so is that your VPN connection might go down, leaving your real-world details exposed for the world to see.

Some VPN providers, such as Private Internet Access, Mullvad, and VPNArea, (for the best VPN in 2018 check out our VPN reviews) include an internet kill switch in their VPN clients (VPNArea even includes a per-app kill switch), and we have discussed other third-party solutions to the problem before.

There is, however, another more direct way to - roll your own VPN kill switch (either global, or per-app) using a Firewall.

Using the built-in Windows Firewall

In Windows 7 it is quite easy to set up a kill switch using the built-in Firewall.

In Windows 8.x things are trickier because the Network and Sharing Center does not allow you to change Network type from Home to Public. We also could not get Windows 8.1 to display our OpenVPN connection in the Network and Sharing Center.

The first problem can be solved by following these instructions, and should work fine for PPTP and L2TP connections. We were unable to resolve the second, however, so we turned to Comodo Firewall.

The rest of this tutorial assumes that you are using OpenVPN (it shouldn't matter whether via a custom VPN client or the basic open source one).

Using Comodo Firewall

Comodo Firewall is a free stand-alone Firewall, that unlike the basic Windows one, which only monitors incoming connections, also monitors all outgoing connections (very useful for blocking viruses that have infected a computer from ‘dialing out’, and commercial software that likes to ‘call home’ from verifying its authenticity).

Comodo Firewall can be downloaded from here. For the process below to work, you will need to disable Windows Firewall once Comodo is installed.

1. Establish your VPN’s physical address

With your OpenVPN connection up and running, Start -> type ‘CMD’. Type ipconfig /all at the command prompt and scroll through until you see the section labeled TAP-Win32 (or TAP-Windows Adapter). Note the Physical Address, and keep the window open for reference.

using command line prompt to establish VPN IP address

2. Create a new Network Zone.

a) Start Comodo Firewall and head for Advanced view (icon on the top left) -> Firewall -> Network Zones. Click on the little arrow at the bottom of the Comodo window and select Add -> New Network Zone

advanced settings in the comodo firewall

b) Give your new zone an appropriate name, and click OK.

naming zone name in comodo

c) Select your new network created zone, Add -> New Address

selecting the new zone network and adding a new address

d) Select Type: Mac Address and enter the Physical Address you noted in Step 1. Click OK.

comodo address dropdown with MAC Address the selected option

3. Make a Ruleset

a) Navigate in Comodo to Firewall -> Rulesets, and click ‘Add’.

comodo rule sheet creating a set of rules for the computer

b)Name the new Ruleset, and click Add.

VPN zone ruleset with arrow pointing to "add" to add a new rule

c)Select the following settings:

Action: Block
Protocol: IP
Direction: In or Out
Source Address: Any Address
Destination Address: Any Address

firewall rule source address type dropdown box

Click OK.

d) Create another two rules with the following settings:

Action: Allow
Protocol: IP
Direction: Out
Source Address: Network zone / your zone
Destination Address: Any Address

e) Repeat again with the following settings:

Action: Allow
Protocol: IP
Direction: In
Source Address: Any Address
Destination Address: Network Zone / your newly created network zone (in our example VPN Zone)

You should now see 3 lines in your Custom Ruleset - 2 green ones, followed by 1 red one (in the order shown below) - the order in which these rules appear is important, as it is the order in which they are applied. You can change the order by dragging the rules with your mouse, or by selecting a rule and using 'Move Up' or 'Move Down' from the menu (arrow at the bottom).

use a custom rule sheet option ticked with three rules

4. Apply rule to programs

a) Navigate to Firewall -> Application Rules, and either find the application you want to force to use VPN (if there is already a Firewall rule set for it), or ‘Add’ a new one (click the arrow at bottom of the window for fly-up menu).

comodo 9

b) ‘Browse’ to location of the program to wish use (using any the File Groups or Running Processes filter)

c) Click the ‘Use Ruleset’ radio button and select your VPN Ruleset. Click ok. Here we have applied the Ruleset to Google Chrome, but it can also be applied to programs such uTorrent.

5. Test the application to make sure everything works.

We found a re-boot of the PC was required.

Useful Guides

ARCTIC Overview & Accelero Hybrid III Review

The Ultimate Ethereum Mining Guide (All Operating Systems)

How to easily setup an Ethereum Mining rig with gpuShack

Global Kill Switch

You can instead keep things simple, and elect to set a ‘Global’ kill switch, which will cut off all your PC’s internet access when not connected to your VPN. To do this, navigate to Firewall -> Global Rules, and Add the same 3 rules we discussed in Step 3 ‘Make a Ruleset’. These may conflict with existing Firewall rules, some of which may have to be removed (a bit of trial and error may be needed here).

For more information about staying secure online, take a look at our best VPN for windows 10 guide.

charl van der merwe

on May 24, 2020

Great article, the only hiccup was remembering to add the VPN connection to dial out on the first try, once that rule is in place it worked

Thomas

on July 2, 2019

Fantastic thorough article Douglas! Thank you so much for sharing this However I am wondering if there might not be one small weakness? By allowing a DNS server outside the VPN connection to resolve the VPN IP:s, do you not at the same time also create a small possibility for DNS leaks. Because if the VPN is disconnected then all programs are blocked like they should but the DNS server can still reach internet. Which means if you are in moment of trying to access a website when the VPN disconnects, that DNS query will be sent outside your VPN connection if you are not fast to recognize that the VPN is disconnected. Or this could leak information if you have programs running in the background like Torrents that continue to try to make DNS queries when the VPN is disconnected, which will then leak to the ISP. What do you think, maybe I have overlooked something?

Douglas Crawford replied to Thomas

on July 3, 2019

Hi Thomas, This setup blocks all internet connections outside of the VPN interface. This should include DNS queries, which will be routed through the VPN tunnel to be handled by the VPN provider. It should also include any torrent connections as DNS queries are only made when you attempt to contact an IP address. What it does not claim to provide is DNS leak protection when the VPN is working. Most clients these days have good IPv4 leak protection built-in anyway, although Ipv6 leak protection is often less robust. It is, therefore, a good idea to disable IPv6 in Windows as a precautionary measure.

Thomas replied to Douglas Crawford

Ok I think I understand now. Thanks for the quick reply! But if also DNS is blocked outside the VPN interface, how is it possible to connect to the VPN in the first place? I imagine one must setup the VPN software to connect to a specific direct IP of the VPN (instead of telling it to make a DNS lookup for e.g. "servers.bestvpn.com" to find an IP to connect to)?

on July 5, 2019

Hi Thomas. Hmm. Good point, and to be honest I'm not sure. Its been a while since I had this setup in place and I was using a custom VPN client which probably connected directly to server IP addresses rather than server names. So as you say, DNS lookup shouldn't have been needed.

Ciaran Farrell

on May 10, 2018

This has worked well for me for a while but has stopped working in the last few days :( Any idea how to get it working again? Or of an alternative method?

Bob Dye

on April 9, 2018

Marcus, thanks for the article. I'm an old newbie, 79 years. I've set it up as you describe. After the reboot Comodo is running but I don't know how to check to see if it's working. Can/will you walk me through those steps. Using win 10 pro

Douglas Crawford replied to Bob Dye

on April 16, 2018

Hi Bob, I think you mean Douglas! :). To check the firewall is working simply turn off your VPN. You _should_ be unable to access the internet until you turn it on again.