How to safeguard PPTP connection - Windows 7?
This can be achieved by configuring a firewall to allow only connections to the VPN provider's IP and/or the TCP port 1723 and the UDP port 47.
If you're using several VPN providers, port-based blocking is easier. If not, IP-based blocking is more secure. In any case, you can use both.
For example, you can configure Windows Firewall to do this:
Let's assume you're using
superfreevpn.com
(69.60.121.29
).Connect to the Internet and your VPN.
Press Win + R and execute
control /name Microsoft.NetworkandSharingCenter
.In View your active connections, click the link Home/Work/Public Network below your Internet connection and choose Public network.
In View your active connections, click the link Home/Work/Public Network below your VPN connection and choose Work network.
Press Win + R and execute
WF.msc
.-
In Windows Firewall with Advanced Security on Local Computer, click Action, then Properties, go to the Private Profile tab and set the following:
Firewall state: On (recommended) Inbound connections: Block all connections Outbound connnections: Allow (default)
-
Port-based
-
In Outbound Rules, click Action, then New Rule... and select the following:
Port TCP Specific remote ports: 1-1722, 1724-65535 Block the connection Public Public TCP
-
In Outbound Rules, click Action, then New Rule... and select the following:
Port UDP Specific remote ports: 1-46, 48-65535 Block the connection Public UDP
IP-based
-
In Outbound Rules, click Action, then New Rule... and select the following:
Custom All programs Any Any IP address These IP adresses Add This IP address range -> From: 0.0.0.0 To: 69.60.121.28 Add This IP address range -> From: 69.60.121.30 To: 255.255.255.255 Block the connection Public Non-VPN
-
-
Since we've blocked all non-VPN DNS queries now,
superfreevpn.com
won't get resolved.Either modify your VPN connection by replacing the hostname by its IP, or add the following line to
%windir%\system32\drivers\etc\hosts
:69.60.121.29 superfreevpn.com
Loosely adapted from How to configure firewall such that when VPN disconnects, all browsing stops.
A slight addition to the excellent answer by Dennis: if your Internet connection is configured to use DHCP (as most are) you will not be able to get an IP address unless you exclude the DHCP server address and the broadcast address 255.255.255.255.
Run ipconfig /all
(while DHCP still works) to find the address of your DHCP server. Let's say it's 192.168.2.1
and the VPN server is 69.60.121.29
, as in Dennis's example. You would then configure blocking for the following IP ranges:
From 0.0.0.0 to 69.60.121.28
From 69.60.121.30 to 192.168.1.255
From 192.168.2.2 to 255.255.255.254
As a temporary workaround you could also disable the outbound firewall rule that blocks everything. That's handy if you've already "lost" your IP address and don't know the address of your DHCP server.
(Credit to Marcks Thomas for the original answer. I'm just adding it to this question in case other users run into the same problem.)
Another, unrelated addition: it may be a good idea to disable network discovery and file and printer sharing for Home/Work networks if you follow the steps above, given that you've configured the entire Internet as your "Work" network. You can do this under Network and Sharing Centre, Change advanced sharing settings.