What you want is to know for sure is that certain applications of your choosing are only functional when the VPN is connected. That way, your specific application will not send a single packet of data from an unsecure connection, ever. It turns out that this is pretty easy to accomplish with more recent versions of Windows, using advanced features of the built in Windows Firewall.
In this tutorial, I will be using the Google Chrome browser as my example. Using a browser is a good example for several reasons. For one, most of what people do on the Internet is through a browser. Also, it’s very easy to test the new Inbound and Outbound firewall rules we will be creating for this tutorial. When the change is complete, Chrome will only connect through the VPN and will not function without the VPN connected.
Step 1 – Configure Your VPN
I’m going to assume that at this point you have some sort of VPN service, whether it’s a custom OpenVPN client or an L2TP connection you created manually yourself in Windows. There are lots of ways to connect to a VPN, but for the purposes of this tutorial it doesn’t matter, because you are going to be basing the applications you want to have control over solely on the basis of connecting through a Public profile network in Windows.
When you create an Internet connection it gives you several profile options to create the new connection for: Public, Private and Domain. For this tutorial to work, it is very important that your VPN connection is configured for a Public profile. It’s the key to setting it up in Windows Firewall. In a nutshell, every program you want to force through the VPN is going to be configured to be restricted to this Public profile.
Step 2 – Network and Sharing Center
Start by right clicking on the network icon in the lower right hand corner of your desktop and choose “Open Network and Sharing Center” and you should see something like the window below:
Before we move on to the Windows Firewall, let’s take a second to double check your VPN profile setting. It should show a picture of a park bench showing you at a glance that it’s set correctly, like shown below:
Now, click on the Windows Firewall link in the lower left corner of the Network and Sharing Center window, as shown below:
Step 3 – Windows Firewall
You should be looking at the Windows Firewall screen, and the firewall should be enabled. Click the advanced settings, as circled below:
Step 4 – Advanced Firewall
You should be looking at the advanced firewall window, as shown below:
Step 5 – Create Outbound Rule
On the left hand side of the window, click on Outbound Rules, like so:
Then, on the right hand side of the window, in the action bar, click New Rule, like so:
Choose Program and click Next >>
This is the screen where you are going to need to know the full path on your hard drive to the EXE file which runs the program you are working with. In this example I am using Chrome, so I will point it to Chrome.
However, what if you don’t know the path to the EXE file you are looking for? If the program is running, you can find it in Task Manager as shown below. To run Task Manager, just right click on your desktop taskbar and choose “Task Manager”.
This is the Windows 8 Task Manager, but you can still get the job done in Windows 7:
When you are in Task Manager, right click on the application you want to know the path to and choose “Open File Location” which will open a Windows Explorer window with the EXE file you are looking for!
Now, right click on the shortcut you should be looking at, and choose Properties. Circled below is the fruit of your labor—the full path to Chrome, not counting the .EXE file itself.
With this knowledge in hand, we can create type the path into our outbound rule and advance by pressing Next >>
Because outbound traffic is allowed by default, the only purpose of this rule is to block traffic that’s not from the VPN. And so you want to set this screen to Block and click Next >>
Below is the most important screen, because you are blocking everything not in the Public profile. Since the VPN connection is the only connection set to Public, this rule will filter out all traffic except the VPN. The end result is that Chrome will not surf the web when the VPN is disconnected.
Almost done. Now just give your rule a name and description. If you or old like me, or just have a poor memory, it is a very good idea to put something descriptive here. I put “force chrome to VPN” so there will not be any doubts about what my new firewall rule does:
That’s it! Now just press the Finish button, and you should see your new rule appear at the top of the list, though the next time the window refreshes it will sort your new rule, so you may have to go hunting for it next time:
That’s it for Chrome, since it does not accept any incoming connections. If you have an application that does, then you will want to keep going. You still want to test it though. With your VPN connected, verify that it surfs the web. Now disconnect your VPN and try to browse to a common web site like Google to verify that it won’t work:
I get the message below when I try the test:
Step 6 (Optional) – Create Inbound Rule
For the most part you are not going to have many incoming connections via your VPN. But some common Windows applications such as voice, messaging and file sharing are going to need incoming connections to work properly. Unlike outbound connections, inbound connections are disabled by default. This tutorial is going to assume that you already have an inbound firewall rule for the application you are working with and that the application is already functioning properly aside from needing to be restricted to the VPN.
Creating the inbound rule is the same procedure you just used to create the outbound rule, so I won’t repeat it. It’s just another rule to create.
That’s it—you should be done!