Vpn – How to safeguard PPTP connection – Windows 7?

There is a computer connecting to a VPN. The network should remain offline, if the machine can’t reconnect to the VPN. It should not ever use the normal connection. Only the VPN one.  

Is there a way to set this behaviour up?
The machine is used locally, so there is no need to reach it from the network or anything.  

Client OS: Windows 7 Professional x64 SP1

Solution:

This can be achieved by configuring a firewall to allow only connections to the VPN provider’s IP and/or the TCP port 1723 and the UDP port 47.

If you’re using several VPN providers, port-based blocking is easier. If not, IP-based blocking is more secure. In any case, you can use both.

For example, you can configure Windows Firewall to do this:

1. Let’s assume you’re using superfreevpn.com (69.60.121.29).

2. Connect to the Internet and your VPN.

3. Press Win + R and execute control /name Microsoft.NetworkandSharingCenter.

4. In View your active connections, click the link Home/Work/Public Network below your Internet connection and choose Public network.

5. In View your active connections, click the link Home/Work/Public Network below your VPN connection and choose Work network.

6. Press Win + R and execute WF.msc.

7. In Windows Firewall with Advanced Security on Local Computer, click Action, then Properties, go to the Private Profile tab and set the following:

   Firewall state:        On (recommended)Inbound connections:   Block all connectionsOutbound connnections: Allow (default)

8. Port-based

   • In Outbound Rules, click Action, then New Rule… and select the following:

     PortTCP   Specific remote ports: 1-1722, 1724-65535Block the connectionPublicPublic TCP

   • In Outbound Rules, click Action, then New Rule… and select the following:

     PortUDP     Specific remote ports: 1-46, 48-65535Block the connectionPublicUDP

   IP-based

   • In Outbound Rules, click Action, then New Rule… and select the following:

     CustomAll programsAnyAny IP addressThese IP adresses    Add        This IP address range -> From: 0.0.0.0      To: 69.60.121.28    Add        This IP address range -> From: 69.60.121.30 To: 255.255.255.255Block the connectionPublicNon-VPN

9. Since we’ve blocked all non-VPN DNS queries now, superfreevpn.com won’t get resolved.

   Either modify your VPN connection by replacing the hostname by its IP, or add the following line to %windir%system32driversetchosts:

   69.60.121.29    superfreevpn.com

Loosely adapted from How to configure firewall such that when VPN disconnects, all browsing stops.