Wednesday, October 16, 2013

How To Force A Windows Application To Use Your VPN

You did it, you finally cared enough about your privacy to go out and purchase a VPN subscription. But it only protects your privacy when it’s connected, and you keep forgetting to connect it or verify that it’s still connected. VPN connections sometimes drop, and when your VPN drops its connection, your privacy is not protected. What’s worse, when the VPN drops, everything on your computer keeps chugging along, unaware of the unsecure change in its environment.

What you want is to know for sure is that certain applications of your choosing are only functional when the VPN is connected. That way, your specific application will not send a single packet of data from an unsecure connection, ever. It turns out that this is pretty easy to accomplish with more recent versions of Windows, using advanced features of the built in Windows Firewall.

In this tutorial, I will be using the Google Chrome browser as my example. Using a browser is a good example for several reasons. For one, most of what people do on the Internet is through a browser. Also, it’s very easy to test the new Inbound and Outbound firewall rules we will be creating for this tutorial. When the change is complete, Chrome will only connect through the VPN and will not function without the VPN connected.

Step 1 – Configure Your VPN

I’m going to assume that at this point you have some sort of VPN service, whether it’s a custom OpenVPN client or an L2TP connection you created manually yourself in Windows. There are lots of ways to connect to a VPN, but for the purposes of this tutorial it doesn’t matter, because you are going to be basing the applications you want to have control over solely on the basis of connecting through a Public profile network in Windows.

When you create an Internet connection it gives you several profile options to create the new connection for: Public, Private and Domain. For this tutorial to work, it is very important that your VPN connection is configured for a Public profile. It’s the key to setting it up in Windows Firewall. In a nutshell, every program you want to force through the VPN is going to be configured to be restricted to this Public profile.

Step 2 – Network and Sharing Center

Start by right clicking on the network icon in the lower right hand corner of your desktop and choose “Open Network and Sharing Center” and you should see something like the window below:

Before we move on to the Windows Firewall, let’s take a second to double check your VPN profile setting. It should show a picture of a park bench showing you at a glance that it’s set correctly, like shown below:

Now, click on the Windows Firewall link in the lower left corner of the Network and Sharing Center window, as shown below:

Step 3 – Windows Firewall

You should be looking at the Windows Firewall screen, and the firewall should be enabled. Click the advanced settings, as circled below:

Step 4 – Advanced Firewall

You should be looking at the advanced firewall window, as shown below:

Step 5 – Create Outbound Rule

On the left hand side of the window, click on Outbound Rules, like so:

Then, on the right hand side of the window, in the action bar, click New Rule, like so:

Choose Program and click Next >>

This is the screen where you are going to need to know the full path on your hard drive to the EXE file which runs the program you are working with. In this example I am using Chrome, so I will point it to Chrome.

However, what if you don’t know the path to the EXE file you are looking for? If the program is running, you can find it in Task Manager as shown below. To run Task Manager, just right click on your desktop taskbar and choose “Task Manager”.

This is the Windows 8 Task Manager, but you can still get the job done in Windows 7:

When you are in Task Manager, right click on the application you want to know the path to and choose “Open File Location” which will open a Windows Explorer window with the EXE file you are looking for!

Now, right click on the shortcut you should be looking at, and choose Properties. Circled below is the fruit of your labor—the full path to Chrome, not counting the .EXE file itself.

With this knowledge in hand, we can create type the path into our outbound rule and advance by pressing Next >>

Because outbound traffic is allowed by default, the only purpose of this rule is to block traffic that’s not from the VPN. And so you want to set this screen to Block and click Next >>

Below is the most important screen, because you are blocking everything not in the Public profile. Since the VPN connection is the only connection set to Public, this rule will filter out all traffic except the VPN. The end result is that Chrome will not surf the web when the VPN is disconnected.

Almost done. Now just give your rule a name and description. If you or old like me, or just have a poor memory, it is a very good idea to put something descriptive here. I put “force chrome to VPN” so there will not be any doubts about what my new firewall rule does:

That’s it! Now just press the Finish button, and you should see your new rule appear at the top of the list, though the next time the window refreshes it will sort your new rule, so you may have to go hunting for it next time:

That’s it for Chrome, since it does not accept any incoming connections. If you have an application that does, then you will want to keep going. You still want to test it though. With your VPN connected, verify that it surfs the web. Now disconnect your VPN and try to browse to a common web site like Google to verify that it won’t work:

I get the message below when I try the test:

Step 6 (Optional) – Create Inbound Rule

For the most part you are not going to have many incoming connections via your VPN. But some common Windows applications such as voice, messaging and file sharing are going to need incoming connections to work properly. Unlike outbound connections, inbound connections are disabled by default. This tutorial is going to assume that you already have an inbound firewall rule for the application you are working with and that the application is already functioning properly aside from needing to be restricted to the VPN.

Creating the inbound rule is the same procedure you just used to create the outbound rule, so I won’t repeat it. It’s just another rule to create.

That’s it—you should be done!


  1. Great for BitTorrent or any Torrent program really!

  2. Thanks for such a wonderful post on VPN. A VPN alone is just a way to bolster your security and access resources on a network you're not physically connected to. It secures your computer's internet connection to guarantee that all of the data you're sending and receiving is encrypted and secured from prying eyes.

  3. This blog is really great. The information here will surely be of some help to me. Thanks!. vpn review

  4. Thank You Sir ! I was looking for such thing for a long long time. God Bless You and Your family :)

  5. This works like a charm for Chrome. However the Tor browser happily ignores its outbound rule and connects to the network over the private network when the VPN is disconnected. Any thoughts anybody?