How to ensure all traffic from a Windows XP computer enters a PPTP VPN tunnel

[Updated 08/01/2011]: pptp.relakks.com has changed some IP addresses so the batch file has been updated accordingly

With all the discussions concerning net neutrality and internet service providers inserting advertisments into your web surfing sessions, it may be a good idea to not trust your internet service provider as much as you used to and instead make use of a VPN service.

In this article, Relakks is used as an example of a PPTP VPN provider.

The Windows XP firewall provided with service pack 2 and newer allows incoming/outgoing traffic to be limited on a per process level (although it seems 80/tcp, 443/tcp and 53/udp are allowed by default). When configuring rules on network adapter level, only incoming traffic to a specific port can be allowed. This leads to the conclusion that only incoming traffic can be configured/limited but not outgoing (on an per IP address level).

Althought, at first glance, the tool ipseccmd.exe does not seem like it can provide IP address filtering it can be used to do exactly that.
The tool is not available by itself but provided in the Windows XP Service Pack 2 Support Tools package.

An example network setup:

  • Windows XP box connected to the router via Ethernet.
  • Playstation 3 connected via WLAN to the router.
  • Router connects to the internet via (A)DSL.
  • LAN is 192.168.1.0/24.
  • Windows XP has the Relakks VPN configured as described on the Relakks Homepage.


As long as the VPN tunnel is up everything is fine and all traffic enters/exits via the VPN provider. If the VPN tunnel is unavailable/down/reestablishing, you will be accessing the internet via your internet service provider and not via the VPN provider.

The following steps should enable the Windowx XP machine to only have a usable network connection when the VPN is up.
This will also ensure that the traffic coming from the PS3 is not affected in any way.

  • Install the IPSec Policy Agent service and enable it via the Services MMC snap-in
  • Install the Windows XP Service Pack 2 Support Tools
  • Wipe any IPSec policies that may have been added when enabling the IPSec Policy Agent
    using the following clean_policy.reg file: 

    Windows Registry Editor Version 5.00
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
    
  • Reboot
  • Open cmd.exe (or Powershell) and use the command ‘ipseccmd.exe show filters’ to check if there are no filters set
  • Execute the following vpnonly.bat script (if your local area network is 192.168.1.0/24, if not, change it accordingly!)
    
    set cmd="C:\Program Files\Support Tools\IPSeccmd.exe"
    set filtername="Secure VPN"
    
    %cmd% -u
    
    %cmd% -w REG -p %filtername% -r "Allow LAN access" -f 0+192.168.1.*:: -n PASS -x
    
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.134.2"   -f 0+93.182.134.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.135.130" -f 0+93.182.135.130::   -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.135.2"   -f 0+93.182.135.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.136.130" -f 0+93.182.136.130::   -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.136.2"   -f 0+93.182.136.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.137.2"   -f 0+93.182.137.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.144.2"   -f 0+93.182.144.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.154.2"   -f 0+93.182.154.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.155.2"   -f 0+93.182.155.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.156.2"   -f 0+93.182.156.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.157.2"   -f 0+93.182.157.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.158.2"   -f 0+93.182.158.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.159.2"   -f 0+93.182.159.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.168.2"   -f 0+93.182.168.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.169.2"   -f 0+93.182.169.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.171.2"   -f 0+93.182.171.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.172.2"   -f 0+93.182.172.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.173.2"   -f 0+93.182.173.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.175.2"   -f 0+93.182.175.2::     -n PASS -x
    %cmd% -w REG -p %filtername% -r "Relakks 93.182.184.2"   -f 0+93.182.184.2::     -n PASS -x
    
    %cmd% -w REG -p %filtername% -r "Allow VPN Traffic" -f 0+*:: -n PASS -x -dialup
    
    %cmd% -w REG -p %filtername% -r "Deny Rule" -f 0=*:: -n BLOCK -x -lan
    
    

Although the above file seems to suggest the rules are based on the order they are executed, this is not the case! The rules are scopebased and are ordered from most specific to least specific. In the case of pptp.relakks.com, the hostname resolves to multiple IP addresses.

To check if the VPN end point resolves to multiple IP addresses, execute the following
command on a machine that has the bind ISC (DNS) software installed:

$ dig +trace pptp.relakks.com

The rules should be instantly active. Try it out by accessing web sites. It should not work.
As soon as you start the VPN tunnel, you can access any service on the internet. Try it. It should work.
If you stop it again, you can not access any internet service. Try it. It should fail.

Instead of starting the VPN tunnel manually on each bootup, you can put it into the Autostart folder, providing you have configured the connection not to ask for the username/password, thus starting the VPN tunnel automatically.

Important:
If you have any local services running (VNC, PS3 Media Server or the like) you should remove them from the exceptions tab in the Windows firewall and reconfigure those programs to either bind to the LAN network adapter IP address (if possible) or to add an port exception on a LAN network adapter (advanced tab).
Unless you intend to offer them to the internet.

Also, neither the DNS Server or the default route have been altered. You could run your own DNS server on the windows machine and also remove the default route permanently.

Advertisements

11 thoughts on “How to ensure all traffic from a Windows XP computer enters a PPTP VPN tunnel

  1. Pingback: How to ensure all traffic from a Windows 8.1 computer enters a PPTP VPN tunnel | Simple Things
  2. This does not work from inside a VirtualBox VM running XP SP3, once the .bat applied I have no more internet access (no matter if I connect to VPN or not).

    NOTE: I first connect to the VPN (open vpn client) in host machine (windows 10) and then launch the VM

    • There are a few things that are unclear to me:

      Does the host network and the virtual machine network share the same IP address network? If so, what network is it?
      Can you successfully initiate the VPN after setting all the IP address filters?
      If so, can you then access the Internet once the VPN was successfully set up?
      What resources do you expect to reach on the virtual machine from your host machine?
      Can your virtual machine access resources in your local area network?

      Connecting to the host machine via VPN should not make a difference, it all depends if the host and the virtual machine share the same (local) IP address network.
      If not, you need to add a line allowing the IP address of your host machine to access the virtual machine:

      %cmd% -w REG -p %filtername% -r “Allow VMHOST access” -f 0+YOUR.HOST:IP:ADDRESS:: -n PASS -x

      • To simplify a bit, now I’ve tested with everything Inside the VM (Nothing on the host).
        So the openvpn client is Inside the XP SP3 VM.
        Let’s say the IP of the openvpn SERVER is 1.2.3.4 , here is my bat file:

        set cmd=”C:\Program Files\Support Tools\IPSeccmd.exe”
        set filtername=”Secure VPN”
        %cmd% -u
        %cmd% -w REG -p %filtername% -r “Allow VMHOST access” -f 0+e.f.g.h:: -n PASS -x
        %cmd% -w REG -p %filtername% -r “Allow LAN access” -f 0+a.b.c.*:: -n PASS -x
        %cmd% -w REG -p %filtername% -r “openvpn 1.2.3.4” -f 0+1.2.3.4:: -n PASS -x
        %cmd% -w REG -p %filtername% -r “Allow VPN Traffic” -f 0+*:: -n PASS -x -dialup
        %cmd% -w REG -p %filtername% -r “Deny Rule” -f 0=*:: -n BLOCK -x -lan

        I’ve tried to put 192.186.1 for the a.b.c line (local IP range of host computer) => if vpn is disconnected I still can access internet

        I’ve tried to put 10.0.2 for the a.b.c line (local ip range of VM)=> no access to internet (with or without VPN) , I can only connect to the VPN and that’s it.

        I’ve tried to put AA.BB.CC for the a.b.c line (local ip range one connected to VPN)=> no access to internet (with or without VPN) , I can only connect to the VPN and that’s it.

        Than I’ve tried to add the e.f.g.h line with the exact local IP of the host , Nothing changed …

        • I still do not quite understand your setup.

          You have a virtual WindowsXP machine. You only want to a specific OpenVPN server but nothing else.
          How do you access the virtual machine from the outside or do you use the console provided by VMWare/Virtualbox. The bat file you provided looks good, you should not be able to access the internet if the VPN is not up. Are you using the builtin Windows VPN configuration or do you have an extra client?

          • I use an extra client : the “openvpn connect” for Windows installed Inside the VM.
            Without the bat file everything works fine: I connect the client (inside the VM) to the remote openvpn server (that is obviously outside the VM if this was not clear) and then all the traffic goes through the VPN.
            So the whole thing is ok when VPN connection is not broken (and without the bat file of course).

            I don’t understand your question “how do you access the virtual machine from the outside” ?
            The virtualbox VM network is configured as “NAT”, do you mean that in order to user your bat file , I need to configure Something on the host computer (outside the VM) ?

            Concerning “you should not be able to access the internet if the VPN is not up”, as I said it is all or Nothing situation: if I use 192.168 .1 if VPN is broken I can still access to internet and if I use 10.0.2 I can never access to internet (VPN broken or not broken).

          • I think the VM is doing some sort of NAT. Can you change it so your host and the VM are on the same network?
            Also, I recall I did have to reboot the VM for all changes to take proper effect.

  3. OK I think the problem is that I must put the VM network in “bridged mode” , but virtualbox refuses (invalid parameter), certainly because I do not use a router.
    Perhaps it is possible to use my internet box as a router, but I don’t know how to configure it, and even if I manage to configure it, I’m not sure if virtualbox will detect this configuration.
    The other solution would be to put the vpn client on the host and configure manually the host (windows 10) firewall rules …

    • > OK I think the problem is that I must put the VM network in “bridged
      > mode” , but virtualbox refuses (invalid parameter), certainly because
      > I do not use a router.

      That should not matter.
      Your host is getting an IP address from somehwere (DHCP?) so
      if you set up your Windows XP to obtain an IP address via DHCP
      and the virtual machine configuration is set to bridged
      both your host and your guest should get an IP address within the same network.

      > Perhaps it is possible to use my internet box as a router, but I don’t
      > know how to configure it, and even if I manage to configure it, I’m
      > not sure if virtualbox will detect this configuration. The other
      > solution would be to put the vpn client on the host and configure
      > manually the host (windows 10) firewall rules …

      I am still a little puzzled by your scenario.

      You have a Windows 10 host machine, a Windows XP virtual machine with OpenVPN
      that should only have internet access when the OpenVPN is up an running.

      It would only make sense (to me) if you ran something like privoxy
      on the Windows XP machine to provide a proxy for your local area network
      (and or other services (tor maybe?).

      So, first step is to get your virtual machine on the same network
      as your host machine. Then, step by step using the commands from
      the bat file implement:

      – Access to local area network allowed
      – access to everything else denied

      Test it (maybe by using ping to ping 8.8.8.8 which should not work.
      If that works, allow access to the OpenVPN server.
      And if that works, then execute the line that will allow
      access to everything on the dialup interface.

      But: This assumes that the OpenVPN client interface is seen as a “dialup”
      interface by WindowsXP.

      I strongly advise you to use Windows 8.1 or newer as Windows XP does not receive
      any security updates and you might not want that machine exposed to the Internet…

      • Thanks for all the detailed information. I will try what you said but I’m currently busy with other things.
        The main reason for my setup (an old XP guest on a Win10 host) is that I need from time to time to have a fresh profile on a website that spy everything to try to find any trace of a previous account on the computer.
        So each time I create a new VM to not let him a single chance to find anything (in localstorage or whatever trick they use).

        I also saw a lot of threads on internet speaking about a bug in virtualbox bridged network with win 10 (this is why I cannot use bridged network for my VMs): perhaps the easiest solution is to wait a fix for this and retry your bat file.

        • For that use case I have a different approach: I have installed Windows 10 into VMWare Workstation and have set the disks to non-persistent. Each time I restart the machine it starts “fresh”.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s