Author Topic: Unofficial VPN Kill Switch via Avast Firewall  (Read 1432 times)

0 Members and 1 Guest are viewing this topic.

Offline FranceBB1

  • FranceBB
  • Jr. Member
  • **
  • Posts: 21
  • Broadcast Encoder
    • Github Account
Unofficial VPN Kill Switch via Avast Firewall
« on: October 09, 2019, 04:45:53 AM »
Hi there,
I had to make a custom internet kill switch for a third party VPN and I found out how to sort of cheat and do it anyway.
Please note that Avast Firewall works differently from UFW (if you are familiar with Linux).
Generally, on Linux, a way to make a custom internet kill switch with UFW is to block everything and only allow the ip address of the VPN server you are going to connect to and the port of the protocol you are going to use.
That way, UFW is gonna block each and every connection unless you are connected to the ip address and port specified (VPN), in which case, all the traffic is routed to that server and the firewall allows you to browse internet.
Of course, as soon as the connection drops and the VPN disconnects itself, all the traffic is blocked again and so on.
On Windows things are different and Avast Firewall works differently.
As a matter of fact, if you block all the connections except the IP Address of the VPN server and the relative port, Avast Firewall will do exactly that: block each and every connection, except the one to the ip address and port specified which are the ones of the VPN Server, however... you won't be able to browse the internet even if you are connected to the VPN.
Let me clarify this: when you are setting Avast Firewall to block everything except the VPN, it will do exactly that, block everything except the VPN, so, if you try to ping the VPN Server you will be able to do that and if you wanna try to connect using the specified port you will be able to do that, however, Avast doesn't know that all the traffic is gonna be routed through the VPN Server (it can't know this since it's handled by Windows!) and therefore it's gonna block everything no matter what.
So, in other words, you will be able to connect to the VPN server, but you won't be able to browse the internet.

One way to prevent this is to take advantage of the "Public" and "Private" profiles of the Avast Firewall.
When you are connected to your real router using your real ISP, Avast Firewall will detect it, we'll call it "ISP A".
As soon as you connect to the VPN, however, Avast will detect a change of ISP (as it doesn't know that it's a VPN instead); we'll call it "ISP B".

Now, go to your Avast (the guide shows Avast Premier), click on Protection, Firewall:

then click on "Settings":

go to "packet rules":

and create two rules like so:

The first rule is gonna be "Block Everything" which basically tells the firewall to block everything.
Remember to set it equal to PUBLIC only on the right end side.
The second rule is gonna allow our VPN to connect, so make sure that you specify the ip address and the port used; for instance PPTP protocol uses port 1723.
If you are unsure about which port it uses, just enable it to all ports (not the safest thing in the world, though).
Just like the first rule, make sure that the second rule only applies to PUBLIC on the right end side.

Alright, we're almost done.
Remember when I told you that Avast will detect a change of ISP when you connect to the VPN?

Well, set "ISP A" (your real ISP) to PUBLIC and set "ISP B" (the VPN ISP) to PRIVATE.

And... you're done.
Now, every time you connect to your router, Avast is gonna recognize the ISP and block all the connection except the VPN.
Once the VPN connects to the server, the ISP will change, Avast will recognize it and will change its settings to PRIVATE thus allowing you to browse the internet.

This is not the best way to make a custom internet kill switch, but it's the one that worked for me at least.
The reason why I decided to make this topic is to share a solution (or rather, a "workaround") to what is a question that has been asked by some people on this forum and found no answer.

Alright, I hope this helps.
Of course, if some Avast expert wanna pop-up and show a better way to make a custom Internet Kill Switch for a third party VPN, feel free to do it, 'cause I'd like to know as well.


OS: Windows XP Service Pack 3 (Updated 'till EoL April 2019) x86
Avast Premier version: 18.8.2356 (build 18.8.4084.409).
« Last Edit: October 09, 2019, 05:52:17 AM by FranceBB1 »
Main: ESET Nod32  - Fedora Linux x64
Work: Avast Premier  - Windows XP Professional SP3 x86 - Microsoft Official Extended Support (2019)
Server: Symantec Endpoint Protection  - Windows Server 2019 x64