In Windows Firewal OpenVPN Interfaces are LAN instead of RAS

[jasoncrowley]

New poster here. If I haven't found the right forum to post Windows client issues, please let me know.

Recent versions of Windows (Vista & up, I think) do not support binding firewall rules to specific interfaces. They do; however, allow you to specify firewall rules that affect the following interface types:

• FW_INTERFACE_TYPE_ALL: Represents all types of network adapters (NICs). The following types fall into this type.
  FW_INTERFACE_TYPE_LAN: Represents network adapters (NICs) that use wired network physical layers such as Ethernet.
  FW_INTERFACE_TYPE_WIRELESS: Represents network adapters that use the wireless 802 network physical layer.
  FW_INTERFACE_TYPE_REMOTE_ACCESS: Represents network adapters that use VPN connections.

OpenVPN client interfaces are recognized by Windows as a LAN interface instead of Remote Access. This has made it very hard to set up firewall rules that only apply to OpenVPN interfaces.

After many hours of research and testing, I have come up with a hack that allows the OpenVPN interface to be recognized by Windows as a Remote Access interface; however, it is a hack. I'm hoping someone has a more-appropriate way to solve the problem.

Here is my hack:

• 1. Add the following line under [tap0901.ndi] in OemWin2k.inf:

  Code: Select all

  *IfType         = 28	; IF_TYPE_SLIP

  2. Run addtap.bat to install the OpenVPN TAP adapter driver. Note that after modifying the OemWin2k.inf file, the signature on your driver will become invalid and you'll have to go through some extra steps to get it installed.

This hack tells Windows that the TAP-Windows Adapter is a SLIP interface type. Windows firewall then recognizes it as a "Remote access" interface type and rules associated with that interface type apply to the OpenVPN connections. It works great and I have found no draw backs, but it seems wrong to tell Windows that OpenVPN is using a SLIP interface. Does anyone have a solution for making Windows recognize TAP interfaces as remote access interfaces in a more-appropriate way?

For your reference, all Windows-sanctioned interface types can be found here:
http://msdn.microsoft.com/en-us/library ... s.85).aspx

I tried each of the values below for *IfType, and only 28 worked. When the TAP-Windows driver is installed without a *IfType directive, it shows up with *IfType = 6.

Code: Select all

Name                            Value
IF_TYPE_OTHER                   1
IF_TYPE_ETHERNET_CSMACD         6
IF_TYPE_ISO88025_TOKENRING      9
IF_TYPE_PROP_POINT2POINT_SERIAL 22
IF_TYPE_PPP                     23
IF_TYPE_SOFTWARE_LOOPBACK       24
IF_TYPE_SLIP                    28
IF_TYPE_ATM                     37
IF_TYPE_MODEM                   48
IF_TYPE_PROP_VIRTUAL            53
IF_TYPE_HIPPIINTERFACE          57
IF_TYPE_IEEE80211               71
IF_TYPE_PPPMULTILINKBUNDLE      108
IF_TYPE_TUNNEL                  131
IF_TYPE_COFFEE                  132
IF_TYPE_L2_VLAN                 135
IF_TYPE_L3_IPVLAN               136
IF_TYPE_IEEE1394                144

Thanks in advance!

Jason Crowley | Innovative Networks | http://in-kc.com

[spartachunk]

Hey,

It's an old post, I know but just in case you're still looking for another way...

I read somewhere (and tested it - it works) that you can differentiate between PUBLIC and PRIVATE networks in the Windows Firewall Rules.

OpenVPN connections by default on my machine, show up as Public and my home connection shows up as Private.

I have had success creating Firewall BLOCK Rules for PUBLIC networks only, and the end result is that it only affects OpenVPN traffic.

This is a simple way of doing it if you don't have more than 1 "public" connection. So obviously not the best option if you are taking your laptop travelling, but works great for a home desktop with a simple network config.