Join Log in
Score:0
freddie_ventura avatar Server

Using a BlockOutbound default policy in Win10 to fully Tunnel all WAN traffic through the TUN/TAP interface

th flag
freddie_ventura

So I got a little "advanced firewall usage" question in Win10.

I have a VPN running in a VPS with openvpn , running like a charm , and I wanted to filter all the networking of my endhost (in this case Win10) What I mean by filtering is to apply an strict policy of "BlockInbound,BlockOutbound" , so I can just add rules to allow the communication with my VPS to establish the VPN Tunnel , (so it will create a new TUN interface) and then let this last Device to have AllowOutbound.

Here is a little diagram of the situation , although not perfect

             +----------------+
             |      WAN       |
             |                |
             +----------------+
                 ^        
                 |        
                 |        
                 |        
                 |        
                 |        
                 V        
             +----------------+
             |192.100.100.100 |
             |   MY VPS       |
             +----------------+
    10.8.0.1/24  ^        ^    VPN port: 443
                 |        |
                 |        |
                 |        |
                 |        |
          TUN nic|        |
    10.8.0.X/24  V        V wireless card
             +----------------+         
             |                |
             |     ENDHOST    |
             +----------------+

The issue in here is with the Windows Firewall system , I am used to ufw in linux and could quite depict the ruleset , in here we are a bit more restricted

1st) Setting the default policies

netsh advfirewall set allprofiles BlockInbound,BlockOutBound

2nd) Letting the Wireless NIC to establish the tunnel with the VPS - Either set opevpn server to serve the clients on the same inport of the client - Or you I can set a rule allowing the IP of the VPS only (no need for server tweaks)

netsh advfirewall firewall add rule name="Accept Traffic from VPN on outter NIC" dir=in action=allow remoteip=192.100.100.100 protocol=tcp 
netsh advfirewall firewall add rule name="Accept Traffic from VPN on outter NIC" dir=out action=allow remoteip=192.100.100.100 protocol=tcp

3rd) Letting the TUN interface have unrestricted WAN connectivity Here we have a limitation in Windows , If you check netsh in order to create a rule you can

 netsh>advfirewall firewall add rule ?
 +---------------------------------------------
 |Usage: add rule name=<string>
 |      dir=in|out
 |      action=allow|block|bypass
 |      [program=<program path>]
 |      [service=<service short name>|any]
 |      [description=<string>]
 |      [enable=yes|no (default=yes)]
 |      [profile=public|private|domain|any[,...]]
 |      [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
 |      [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
 |         <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
 |      [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)]
 |      [remoteport=0-65535|<port range>[,...]|any (default=any)]
 |      [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
 |         tcp|udp|any (default=any)]
 |      [interfacetype=wireless|lan|ras|any]
 |      [rmtcomputergrp=<SDDL string>]
 |      [rmtusrgrp=<SDDL string>]
 |      [edge=yes|deferapp|deferuser|no (default=no)]
 |      [security=authenticate|authenc|authdynenc|authnoencap|notrequired
 |         (default=notrequired)]
 +---------------------------------------------
 
NOTE!! [interfacetype=wireless|lan|ras|any]

There is no interfaceName to filter neither interfacetype quite distinguishes the category of TUN interface

Provided that we have

netsh>interface show interface

Admin State    State          Type             Interface Name
---------------------------------------------
Enabled        Connected      Dedicated        OpenVPN TAP-Windows6     -------------> TARGET
Enabled        Disconnected   Dedicated        PdaNet Broadband Connection
Enabled        Connected      Dedicated        Wi-Fi
Enabled        Disconnected   Dedicated        Ethernet

This info is not really telling me any info about interfacetype , but after asking in a Chat I have been told that the TAP interfaces are seen as interfacetype=lan So as my actual connection is going to be Wireless , then I have a ruleset suiting my situation

netsh advfirewall firewall add rule name="Permit Outbound Traffic through LAN interfaces (for the TUN)" dir=out action=allow interfacetype=lan remoteip=any
netsh advfirewall firewall add rule name="Permit LAN Traffic out" dir=out remoteip=localsubnet

So I go ahead and unfortunatelly the plan is not working. First off I'm not to log into the LAN application form to get WAN (for that I temporary deactivate the firewall) . Once I get the IP lease I enable the firewall again , and goodnews I have connectivity with my VPS , so I proceed to connect OpenVPN , It connects . Good!! But Webpages are not getting loaded , ping requests not coming through , and I cant depict where it may be issue.

Any ideas?

44
0 + 0
vps
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.