Welcome Guest.   Make a donation to an author on the site April 24, 2014, 06:21:10 AM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
View the new Member Awards and Badges page.
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: SOLVED: App to Stop "All" Network Traffic Until My VPN Connects  (Read 5804 times)
coll4pqv
Participant
*
Posts: 9


View Profile Give some DonationCredits to this forum member
« on: June 28, 2012, 12:00:07 PM »

Hello to all.

As far as I know, what I want doesn't exist.  But I could be wrong.  In any event, I'm excited about seeing someone here develop an easy-to-use app that will do what I want without being complicated or otherwise being a drain on PC resources.

Now, I myself don't code, as may be obvious, but would like to.  In fact, I'd love to "sit in" with the programmer and see if I can learn some basic programming.  If this is possible, and it wouldn't be too cumbersome, I'm certainly willing.

Anyway, here's the deal.

I use a personal VPN application (the one from Witopia, using OpenVPN) and find that applications on my PC (anti-virus looking for updates, DNS Crypt by OpenDNS, etc.) are gaining access to the network prior to my VPN connecting.  Additionally, I also find that these and other applications (Thunderbird, Firefox, etc.) are able to connect to the network if and when the VPN loses connectivity.

Witopia tells me that their product is doing what it's designed to do, but in so learning this I realize that the VPN is not doing for me all that I both expect and want, that being ALL traffic at ALL times being routed through the VPN.  And if the VPN is not connected, then nothing gets online.

So, what I'd like to find is an application that can, basically, block all internet traffic (internal to my network is fine) any time the VPN is not connected.

Now, having said that, there is, at least at this time, only one caveat to that.  Occasionally I will be at a location, typically a hotel/motel but even my company's own "Guest" network, which requires some authentication through a browser.  Obviously, if I'm having ALL network traffic blocked by this app I won't be able to authenticate.  So what I'm thinking would be nice is to have the app written in a way that would allow a specific browser (K-meleon, Maxthon, etc.) to have network connectivity without restriction.  So then, I'd use that browser to authenticate to that network, at which point my VPN would make it's connection and then I'd be good to go.

Does that make sense?

Well, I guess at this point I sit back and see what feedback I get.  Also, if someone does know of an existing app that does what I need, or at least pretty close to it, or if there are some setting in Windows that I can enable/disable/whatever to accomplish what I want with ease, please do let me know.  I'll poke around the internet in the meantime and see what I can see.

Thanks so much for your consideration and I really look forward to this whole process.   smiley

Emma
Logged
jgpaiva
Global Moderator
*****
Posts: 4,710



Artificial Idiocy

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #1 on: June 28, 2012, 12:27:38 PM »

Even though I'm not an expert in the matter, this seems like the kind of stuff that exists already. Looks like an outgoing firewall which allows only VPN packets out would solve it. However, you would have to disable it when connecting at browser-based authentication site.
Logged

Renegade
Charter Member
***
Posts: 10,364



Tell me something you don't know...

see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #2 on: June 28, 2012, 12:39:10 PM »

Even though I'm not an expert in the matter, this seems like the kind of stuff that exists already. Looks like an outgoing firewall which allows only VPN packets out would solve it. However, you would have to disable it when connecting at browser-based authentication site.

I think I saw something on Torrent Freak about this, but I'm tired and need to get some sleep... Maybe someone can follow up...
Logged

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker
coll4pqv
Participant
*
Posts: 9


View Profile Give some DonationCredits to this forum member
« Reply #3 on: June 28, 2012, 01:08:14 PM »

Even though I'm not an expert in the matter, this seems like the kind of stuff that exists already. Looks like an outgoing firewall which allows only VPN packets out would solve it. However, you would have to disable it when connecting at browser-based authentication site.

I wondered about that myself as it would seem to be the ideal place to enable such restrictions.  I'll see what I can find; thanks.
Logged
magician62
Supporting Member
**
Posts: 88


View Profile Give some DonationCredits to this forum member
« Reply #4 on: June 28, 2012, 01:36:31 PM »

I am not sure and am unable to check this as at present have no active VPN, but can you not just disable your existing connection  in Network and sharing center and create the VPN connection ? (win 7)
Logged
coll4pqv
Participant
*
Posts: 9


View Profile Give some DonationCredits to this forum member
« Reply #5 on: June 28, 2012, 01:52:00 PM »

I am not sure and am unable to check this as at present have no active VPN, but can you not just disable your existing connection  in Network and sharing center and create the VPN connection ? (win 7)

Well, if I'm understanding you correctly, this suggestion would be problematic if only because then I would have no connection from the applications/OS to the outside world as I've disabled all adapters except for the VPN connection.  Actually, Witopia, and presumably other VPN providers, install their own TAP-32 interface.  So the PCs adapters (whichever one I'm using; wireless or wired) would need to be enabled to connect to the TAP which then would connect to the network.  It simply appears that the TAP-32 ( a Virtual Adapter, doesn't replace a PCs NICs but is nonetheless required to connect to the VPN.
Logged
coll4pqv
Participant
*
Posts: 9


View Profile Give some DonationCredits to this forum member
« Reply #6 on: June 28, 2012, 01:55:55 PM »

Here's what I'm thinking so far.

I use the Comodo firewall.  It has a lot of configuration options.  One of them is to allow connections from such-and-such "Source Address" to such-and-such "Destination Address."  These addresses can be MAC addresses.  So I'm wondering if I can tell each application that requires network access to connect using ONLY the MAC address of the TAP.  The problem I see at this point is that the TAP installed on my system does not have a MAC address, which tells me that one is not required.  So I wonder: could I just make up a MAC address for the TAP, just as long as it doesn't match one already on my network?

Thoughts?
Logged
PhilB66
Supporting Member
**
Posts: 1,510


View Profile Give some DonationCredits to this forum member
« Reply #7 on: June 28, 2012, 06:15:10 PM »

Maybe this thread could be of help?

http://www.donationcoder....m/index.php?topic=25468.0
Logged
coll4pqv
Participant
*
Posts: 9


View Profile Give some DonationCredits to this forum member
« Reply #8 on: June 28, 2012, 06:36:00 PM »

Maybe this thread could be of help?

http://www.donationcoder....m/index.php?topic=25468.0

Sadly, no.   Sad

But I appreciate the effort.   Thmbsup
Logged
4wd
Supporting Member
**
Posts: 3,222



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #9 on: June 28, 2012, 06:39:33 PM »

This is what a firewall was made for:

1) Block everything outgoing unless the source IP is a VPN IP, (eg. 10.5.4.3 or 10.5.4.*)
2) Except for the VPN software and one browser, ie. source IP = *.*.*.*
Logged

Four wheel drive: Helping you get stuck faster, harder, further from help...........and it's no different on this forum Evil
coll4pqv
Participant
*
Posts: 9


View Profile Give some DonationCredits to this forum member
« Reply #10 on: June 28, 2012, 07:20:33 PM »

It looks like, as others have noted, the firewall is the place to do this.  So far I've successfully blocked two applications from getting online unless the VPN is connected.

Here's what I've done (for those who are interested).

The TAP-32 Virtual Adapter that's part of the VPN package comes with no MAC address.  So I figured I could give it one, just as long as it didn't match one already on the network.  Once I did that I went into my firewall configuration screens.  Using the Comodo firewall, I went into Network Security Policy and then Application Rules. 

I set the "Action" to "Block."
I set the "Protocol" to whatever was appropriate for a given application.
I set the "Direction" to "In/Out" as I figured that would cover all the bases.
I gave it an appropriate description, something like "Force <insert app name here> To Use TAP-32."
Under "Source Address" I enabled the "Exclude" option.
I set the "Type" to "MAC Address."
I set the "MAC Address" to the one I gave the TAP-32 adapter.
I then click "Apply" and then, on the next screen, "Ok."

I'll note that I did not change anything under the "Destination Address," "Source Port" and "Destination Port" options.

Before I tested this out, I disconnected the VPN (TAP-32 adapter), did a "ping" of Yahoo.com to verify connectivity and then tried to get these first two applications online.  Neither was able to connect.  Once I re-enabled the TAP-32 adapter, however,  both were able to connect.

Sweet!

Now all I have to do is 1) identify all those applications for which I want to have internet access and, 2) identify which protocol they use to do so.

Now, I know that for most of you this isn't really that big of a deal.   tongue  But for an 'ol fart like me, it's a big deal.   greenclp

Thanks to all for reading and your feedback.  It was great to have a sounding board.   Thmbsup

By the way, I want to be a programmer when I grow up!   Grin
Logged
Renegade
Charter Member
***
Posts: 10,364



Tell me something you don't know...

see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #11 on: June 28, 2012, 11:08:10 PM »

Here's the Torrent Freak link:

http://torrentfreak.com/h...-even-more-secure-120419/

I think that's what you're looking for.
Logged

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker
coll4pqv
Participant
*
Posts: 9


View Profile Give some DonationCredits to this forum member
« Reply #12 on: June 29, 2012, 12:29:07 PM »

Here's the Torrent Freak link:

http://torrentfreak.com/h...-even-more-secure-120419/

I think that's what you're looking for.


Thanks, Renegade.

I downloaded it this morning while connected to my VPN but it said that I wasn't connected.  My PC has Vista and this developer's site didn't explicitly say it worked with Vista.  Still, I'll probably dink around with it some more and see what I can come up with.  But I'm not sure it will work as well as the firewall rules I created which were both time-consuming to make and a bit more technical than I think most users would prefer, although doing firewall rules isn't that bad.

It just seems to me that it wouldn't be that difficult to create a small app that can do exactly what I want, but then again, I'm not a programmer.

Thanks again for the link.
Logged
4wd
Supporting Member
**
Posts: 3,222



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #13 on: June 29, 2012, 07:14:08 PM »

If you were willing to pay for it, Windows7FirewallControl, (works on XP->8 ), allows you to create 'Security Zones'.

So you could just create a zone that encompasses sources IPs that match your VPN IP allocation, then you just select Allow VPN zone only for any programs accessing the network.



Haven't used Comodo in a long time but it may have something similar - a lot easier than having to specify MAC addresses.
« Last Edit: July 14, 2012, 09:08:19 PM by 4wd » Logged

Four wheel drive: Helping you get stuck faster, harder, further from help...........and it's no different on this forum Evil
coll4pqv
Participant
*
Posts: 9


View Profile Give some DonationCredits to this forum member
« Reply #14 on: July 04, 2012, 12:58:01 PM »

I've been learning about and configuring Comodo to do what I want.  It works...sorta.  More readling....  :-)
Logged
Renegade
Charter Member
***
Posts: 10,364



Tell me something you don't know...

see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #15 on: July 04, 2012, 01:05:48 PM »

Check out using OpenVPN rather than PPTP. Some VPN service providers support that. I just stuck it on my Mac and seems to be pretty good. You can configure a fair bit, but the firewall thing and TF link are probably still needed.
Logged

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker
coll4pqv
Participant
*
Posts: 9


View Profile Give some DonationCredits to this forum member
« Reply #16 on: July 14, 2012, 01:02:21 PM »

Just a "final" quick note to say thanks to everyone for the input.  I'm continuing to configure Comodo Firewall with (what appear to be) the appropriate settings and so it's working fine.  On a side note, Comodo Firewall does allow for exporting/importing the firewall's settings so I can create the rules I want and then export them, in this case to my laptop.

Thanks again for all the advice and recommendations.
Logged
skwire
Moderator
*****
Posts: 3,911



Another Coding Snack request? Om nom nom...

see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #17 on: July 14, 2012, 01:08:38 PM »

Thanks for the update.  I'll mark this thread as solved.  =]
Logged

Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.057s | Server load: 0.04 ]