How to ensure all traffic from a Windows XP computer enters a PPTP VPN tunnel

[Updated 08/01/2011]: pptp.relakks.com has changed some IP addresses so the batch file has been updated accordingly

With all the discussions concerning net neutrality and internet service providers inserting advertisments into your web surfing sessions, it may be a good idea to not trust your internet service provider as much as you used to and instead make use of a VPN service.

In this article, Relakks is used as an example of a PPTP VPN provider.

The Windows XP firewall provided with service pack 2 and newer allows incoming/outgoing traffic to be limited on a per process level (although it seems 80/tcp, 443/tcp and 53/udp are allowed by default). When configuring rules on network adapter level, only incoming traffic to a specific port can be allowed. This leads to the conclusion that only incoming traffic can be configured/limited but not outgoing (on an per IP address level).

Althought, at first glance, the tool ipseccmd.exe does not seem like it can provide IP address filtering it can be used to do exactly that.
The tool is not available by itself but provided in the Windows XP Service Pack 2 Support Tools package.

An example network setup:

  • Windows XP box connected to the router via Ethernet.
  • Playstation 3 connected via WLAN to the router.
  • Router connects to the internet via (A)DSL.
  • LAN is 192.168.1.0/24.
  • Windows XP has the Relakks VPN configured as described on the Relakks Homepage.


As long as the VPN tunnel is up everything is fine and all traffic enters/exits via the VPN provider. If the VPN tunnel is unavailable/down/reestablishing, you will be accessing the internet via your internet service provider and not via the VPN provider.

The following steps should enable the Windowx XP machine to only have a usable network connection when the VPN is up.
This will also ensure that the traffic coming from the PS3 is not affected in any way.

  • Install the IPSec Policy Agent service and enable it via the Services MMC snap-in
  • Install the Windows XP Service Pack 2 Support Tools
  • Wipe any IPSec policies that may have been added when enabling the IPSec Policy Agent
    using the following clean_policy.reg file: 

    Windows Registry Editor Version 5.00
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
    
  • Reboot
  • Open cmd.exe (or Powershell) and use the command ‘ipseccmd.exe show filters’ to check if there are no filters set
  • Execute the following vpnonly.bat script (if your local area network is 192.168.1.0/24, if not, change it accordingly!)
    
    set cmd="C:\Program Files\Support Tools\IPSeccmd.exe"
    set filtername="Secure VPN"
    
    %cmd% -u
    
    %cmd% -w REG -p %filtername% -r "Allow LAN access" -f 0+192.168.1.*:: -n PASS -x
    
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.134.2"   -f 0+93.182.134.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.135.130" -f 0+93.182.135.130::   -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.135.2"   -f 0+93.182.135.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.136.130" -f 0+93.182.136.130::   -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.136.2"   -f 0+93.182.136.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.137.2"   -f 0+93.182.137.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.144.2"   -f 0+93.182.144.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.154.2"   -f 0+93.182.154.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.155.2"   -f 0+93.182.155.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.156.2"   -f 0+93.182.156.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.157.2"   -f 0+93.182.157.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.158.2"   -f 0+93.182.158.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.159.2"   -f 0+93.182.159.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.168.2"   -f 0+93.182.168.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.169.2"   -f 0+93.182.169.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.171.2"   -f 0+93.182.171.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.172.2"   -f 0+93.182.172.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.173.2"   -f 0+93.182.173.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.175.2"   -f 0+93.182.175.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.184.2"   -f 0+93.182.184.2::     -n PASS -x
    
    %cmd% -w REG -p %filtername% -r "Allow VPN Traffic" -f 0+*:: -n PASS -x -dialup
    
    %cmd% -w REG -p %filtername% -r "Deny Rule" -f 0=*:: -n BLOCK -x -lan
    
    

Although the above file seems to suggest the rules are based on the order they are executed, this is not the case! The rules are scopebased and are ordered from most specific to least specific. In the case of pptp.relakks.com, the hostname resolves to multiple IP addresses.

To check if the VPN end point resolves to multiple IP addresses, execute the following
command on a machine that has the bind ISC (DNS) software installed:

$ dig +trace pptp.relakks.com

The rules should be instantly active. Try it out by accessing web sites. It should not work.
As soon as you start the VPN tunnel, you can access any service on the internet. Try it. It should work.
If you stop it again, you can not access any internet service. Try it. It should fail.

Instead of starting the VPN tunnel manually on each bootup, you can put it into the Autostart folder, providing you have configured the connection not to ask for the username/password, thus starting the VPN tunnel automatically.

Important:
If you have any local services running (VNC, PS3 Media Server or the like) you should remove them from the exceptions tab in the Windows firewall and reconfigure those programs to either bind to the LAN network adapter IP address (if possible) or to add an port exception on a LAN network adapter (advanced tab).
Unless you intend to offer them to the internet.

Also, neither the DNS Server or the default route have been altered. You could run your own DNS server on the windows machine and also remove the default route permanently.

Advertisements