VPN & Eset Firewall Setup

[zamar27 5]

Many Windows VPN clients don't have own Firewall or Kill Switch. A VPN Client usually creates a virtual network adapter or MiniPort, which is used by the client instead of physical Ethernet or WiFi adapter, thus creating a separate "Network Connection" in Eset Firewall. Please advice how to best configure Eset Firewall in a way, that all traffic from the PC would pass only through VPN, and any other traffic outside VPN is blocked by Eset Firewall?

Also, when VPN connection is temporarily interrupted, Eset Firewall should block all PC traffic on all adapters until the VPN connection is restored.

Can you also explain whether Eset does Real Time Protection on traffic passing through the VPN virtual adapter? If yes, is it done after the traffic has passed the adapter and was decrypted by VPN Client?

Edited April 27, 2019 by zamar27

[zamar27 5]

Eset position for some time was "we won't offer VPN". At the same time Eset management recognized that their customers do use VPN, and offered extensive VPN support for its commercial Secure Authentication (ESA) product. When it comes to Home market, Eset staff simply ignores regular customer requests to provide any help on using VPN clients with Eset, despite burgeoning grows of consumer VPN market. 

Configuring Eset to work with a 3rd party VPN client should not be that hard. This How to use only VPN Connection guide explains how to configure a Windows Firewall to pass a certain app traffic only through VPN. Its obvious from it, instead of passing just one app traffic, a user can configure to pass "ALL Programs" traffic only through VPN.

However, Eset Firewall not only complies with Windows Firewall rules, but also offers its own set of controls. So why Eset staff persistently refuses to explain in Help, and also on the forum any user questions about VPN and Eset Firewall configuration? What do you offer this forum for, if such popular topics are ignored? The forum is not only for bug reports, but mostly on how to use and improve Eset products, including Eset Firewall and Network & Internet Protection features.

 

Edited May 3, 2019 by zamar27

[itman 1,669]

To begin with, I assume most Eset home users are not using the Win built-in VPN client such as this set-up guide for Win 10 here shows: https://support.microsoft.com/en-us/help/20510/windows-10-connect-to-vpn . Most are using one of the publicly available VPN providers such as NordVPN. As their setup guide for Win 7 shows, all the features you desire such as app and Internet kill switch capability etc. are built into their app: https://nordvpn.com/tutorials/windows-7/application/ . It is outside the scope of the Eset firewall to provide these features or such like capability. If you wish such capability, you should use one of the public VPN service providers.

As far as configuring the Eset firewall for a public VPN provider connection, here's a good tutorial: https://windowsreport.com/fix-vpn-blocked-eset/ . I recommend using the Eset Network wizard which will automatically create the proper firewall rules for the VPN connection.

Edited May 2, 2019 by itman

[zamar27 5]

On 5/2/2019 at 6:37 PM, itman said:

It is outside the scope of the Eset firewall to provide these features or such like capability.

It doesn't seem to be the case. Here's the suggestion I found on How to ensure VPN Only traffic:
"set up a Public network for VPN network connection (adapter), and block everything through the Firewall sent on Home and Office networks". The task is more suited for advanced Eset users.

There seems to be several ways for a user to implement it in Eset Firewall settings. For example, a user can take advantage of Eset Firewall Profiles:

1. View current network connections in Network Protection-Connected Networks;
2. Assign different Eset Firewall Profiles to various network connections (adapters);
3. Set  Allow or Deny Any Traffic rules in Firewall Advanced Rules depending on a chosen Firewall Profile.

Another approach is to use Eset Firewall Zones:

1. Assign VPN traffic to a new Secure Zone in Firewall Advanced Setup, and add user preferred VPN server remote IP addresses to it;
2. Set  Allow Any Traffic rule in Firewall Advanced Rules for Trusted Zone to allow LAN traffic;
3. Set  Allow or Deny Any Traffic rules in Firewall Advanced Rules inside and outside the new Secure Zone.

In both above approaches or their combination, a user can add extra rules for certain applications or processes within Firewall Zones or Profiles, which traffic should be blocked, passed via VPN tunnel, or outside it thus enabling split tunneling. Some trial and error testing may be required, and one must account for Eset rules evaluation priority, which may change between Eset software versions. One may need to enable Firewall Interactive or Learning mode to teach it how to handle traffic, and advanced logging to create or edit rules using log files. If problems with traffic occur, a user can always export Eset configuration, and revert Firewall settings to Default.

Edited May 4, 2019 by zamar27

[itman 1,669]

8 hours ago, zamar27 said:

It doesn't seem to be the case. Here's the suggestion I found on How to ensure VPN Only traffic:
"set up a Public network for VPN network connection (adapter), and block everything through the Firewall sent on Home and Office networks".

I suggest you experiment with your own custom configurations since you seem somewhat knowledgeable in this area.

Note that by default, Eset firewall rules are global in scope depending on which of the three default profiles are active; Public, Home or office, or use Windows setting.

Using the Public profile  on the VPN network connection will activate proper defaut Eset firewall rules for that network connection only. If the Eset profile for your PC NIC adapter is set to Home or Office profile, Eset firewall will apply appropriate default firewall rules for that network connection. The main point to realize is that Eset's firewall will not block a non-VPN connection on another network adapter connection when the VPN connection is disabled.

Edited May 3, 2019 by itman

[itman 1,669]

Getting back to the default Windows client VPN connection. Microsoft created this as a simply means to establish a point-to-point tunnel connection to an external network; namely your employer's network for example.

The public VPN services all use their own VPN client. This is most likely the installation of a mini-port filter driver for the existing device network connection. Use of such a driver gives the capability for example to block all traffic from the network adapter that is not VPN related.

[zamar27 5]

On 5/3/2019 at 9:01 AM, itman said:

The main point to realize is that Eset's firewall will not block a non-VPN connection on another network adapter connection when the VPN connection is disabled.

It depends on Firewall settings set by a user. I wonder why Eset doesn't explain much in Firewall Help articles giving typical examples of popular firewall settings and scenarios.

Eset Firewall will block all non-VPN traffic on a physical network adapter, if a user added Deny Any Traffic rule in Firewall Advanced Rules for the Firewall Profile assigned to that adapter (connection), regardless whether alternative VPN connection (mini-port or virtual adapter) is enabled and active or not. Once you enable VPN connection, the traffic will flow through it. When you disable it, any traffic will stop. This is an equivalent of Kill Switch of a 3rd party VPN Client activated when VPN connection is interrupted, since not every client offers its own Firewall control or Kill Switch.

Edited May 4, 2019 by zamar27

[itman 1,669]

43 minutes ago, zamar27 said:

Eset Firewall will block all non-VPN traffic on a physical network adapter, if a user added Deny Any Traffic rule in Firewall Advanced Rules for the Firewall Profile assigned to that adapter (connection), regardless whether alternative VPN connection (mini-port or virtual adapter) is enabled and active or not.

Correct.

The problem is what about necessary periodic Windows OS network communication? For example, auto checking for Windows Updates, Win Store and System packaged updates on Win 10, etc., etc.. Appears that you still might be using Win 7. Win 10 is extremely "chatty" when it comes to Internet activity.

[zamar27 5]

Any VPN Client supplied Kill Switch or Firewall Control seems to kill all internet traffic when enabled, including all Win 10 chattiness regardless of Win 10 Firewall default settings, unless it offers some advanced options like allowing LAN or specific Windows internet traffic. All traffic is restored once VPN connection is active. You can watch that with Windows Resource Monitor, Netlimiter or similar 3rd party tool, and also with Eset Tools - More Tools - Network Connections.

Edited June 11, 2019 by zamar27

[itman 1,669]

Again, NordVPN has an option associated with the kill switch where you can specify what apps it applies to:

Quote

NordVPN helpfully provides a kill switch option in both its desktop software and its mobile apps. The desktop version, for Windows and Mac, can shut down applications which you specify if your VPN connection goes down. The mobile version for Android and iOS disables internet access across the system if the VPN connection goes down, meaning that apps won’t be shut down but they won’t be able to communicate across the unsecured internet.

To enable the kill switch on the desktop software, open it up and click on Settings at the top, and then to General on the left. This will show you a number of options, including the Kill Switch slider. You can toggle the slider to turn the kill switch on and off. And below the slider you can add applications which should be terminated in the case of VPN disconnection – such as your web browser and your torrent client.

https://www.addictivetips.com/vpn/best-vpns-kill-switch/

[zamar27 5]

As an example, ExpressVPN too has a KIll Switch and also Split Tunneling feature that allows to choose which programs traffic is passed through VPN tunnel (virtual  adapter), and which goes straight through the physical network adapter. Some VPN clients like Windscribe offer Firewall control instead of Kill Switch, which includes Allow LAN Traffic option. These are advanced features, seldom offered in most VPM clients, yet any of those can seemingly be implemented by proper Eset Firewall setup by a user, if not available or switched off in a VPN client. 

These features in VPN clients manipulate settings of Windows Firewall. There's an interesting Reddit thread, where VPN devs explain what's the difference between VPN Kill Switch and VPN Firewall control, since many reviewers don't know that.

There were reports on this forum in the past that Eset Firewall crashes when traffic is passed through two or more network connections simultaneously. I didn't test that, and if that's still the case, its an Eset firewall bug that may prevent implementing the above advanced settings. They should still work if used in VPN clients, since these modify Windows Firewall rules Eset Firewall complies with in default settings.

Edited May 4, 2019 by zamar27

[chrispeddler 0]

On 4/27/2019 at 7:41 AM, zamar27 said:

Many Windows VPN clients don't have own Firewall or Kill Switch. A VPN Client usually creates a virtual network adapter or MiniPort, which is used by the client instead of physical Ethernet or WiFi adapter, thus creating a separate "Network Connection" in Eset Firewall. Please advice how to best configure Eset Firewall in a way, that all traffic from the PC would pass only through VPN, and any other traffic outside VPN is blocked by Eset Firewall?

Also, when VPN connection is temporarily interrupted, Eset Firewall should block all PC traffic on all adapters until the VPN connection is restored.

Can you also explain whether Eset does Real Time Protection on traffic passing through the VPN virtual adapter? If yes, is it done after the traffic has passed the adapter and was decrypted by VPN Client?

I have read in a guide that Ivacy VPN offers kill switch but I'm not sure if Eset's firewall compatible.