VPN only for a single program

I'm creating a new VPN service, to enable players of the Crysis 1, Crysis Wars, and Crysis 2 games to continue playing after the online multiplayer is shut down at the end of this month.

The purpose of this VPN service is to provide a private LAN, where players can connect to the VPN and view the LAN server list to connect to servers (servers obviously have to be connected to the VPN also).

This is where the problem lies; I only want the VPN server to support this server network, and not allow people access to the internet. This is because if they download torrents, watch video, etc, it will make the VPN server slow. Obviously I can just block all access to the web, but unfortunately most players like to browse the internet, play music on YouTube, etc, while playing.

Is it possible on Windows to only allow the games and servers to use the VPN, while forcing users to bypass the VPN for other internet communication? Is there some Windows Firewall rule that can be applied to create this behaviour? I only want the gameservers and games to use the VPN server.

If this isn't possible, is it possible programmatically? C++ and Lua can only be used for this.

The VPN is on Linux.

AStopher

Posted 2014-06-15T08:54:21.167

Reputation: 2 123

I understand that the VPN is housed on Linux and Crysis on Windows. Therefore all VPN communication goes through the Linux server. You could set its firewall to allow on the IP segment of the VPN only outgoing connections to the Windows server, so no connection to the Internet is possible on the VPN. – harrymc – 2014-06-18T20:58:35.773

@harrymc Yes, but that's not what I want to do. Many players use services such as TeamSpeak 3 and Skype to communicate to other players. They also like to stream music from websites such as YouTube and Deezer; these services are high-bandwidth services, so they cannot be allowed via the VPN. However, if players cannot access these services at all, the new service will be less attractive. – AStopher – 2014-06-19T07:51:42.390

You control the outgoing ports and so control which services are available via the VPN. Users wishing to use unavailable services will need to use the Internet directly rather than via your VPN. This is possible for them by manipulating their route tables. – harrymc – 2014-06-19T08:30:31.547

Answers

-1

The solution to this is found here. It is possible to have an installer, which modifies the firewall rules to accomplish this.

Connect to your VPN as you normally would.

Open the Network and Sharing Center - right-click on the Internet connection icon in the taskbar and choose "Open Network and Sharing Center" (see below)

You should see (at least) two networks listed under "View Your Active Networks" - your VPN connection and one called "Network" - a.k.a. your ISP Connection. Ensure that your VPN is a "Public Network", and your ISP connection is "Home Network". If you need to change either connection, click it and an option window will appear (see below).

Go to the Control Panel and click System and Security (see below).

In the resulting window, click Windows Firewall (see below).

In the Windows Firewall window, click Advanced Settings on the left pane (see below). Note: You must be logged in as an Adminstrator to make changes to the Firewall Settings.

You should see a window titled Windows Firewall with Advanced Security. In this window, click Inbound Rules (see below).

On the right pane, you will see an option for a New Rule. Click it (see below).

In the New Inbound Rule Wizard (which should appear), do the following:

Choose Program and click Next.

Choose the program you wish to block all traffic to except on the VPN connection, and click next.

Choose Block the Connection.

Tick Domain and Private. Make sure Public is left unticked.

Repeat Step 9 for Outbound Rules.

AStopher

Posted 2014-06-15T08:54:21.167

Reputation: 2 123

@Nakilon I am the author of this question... – AStopher – 2020-02-09T12:00:58.773

You have two easy approaches for this: Microsoft's horribly insecure PPTP and OpenVPN.

PPTP is built-in to Windows, and doesn't require a download for your players. The catch is that the data exchanged will not be secure - a dedicated attacker will be able to break into the data streams because there are flaws in the encryption used by PPTP. Since this is a gaming service with little to loose (other than a few multiplayer matches) this might be an acceptable risk, but you're not entirely clear about how all of the components fit together, and what is "acceptable". You will want to install the pptpd service on your linux box and configure it from there. Once installed, it will accept connections from anyone that has the correct username/password pair.

OpenVPN is a bit more heavy-weight but will provide full security. It can be independently downloaded and installed. The setup of this service is outside the scope of the question - it is a bit involved. Suffice to say, it will not only require the download and installation of a client for your players, but possibly the exchange of a SSL certificate file as well. It will provide reasonable security and the latency isn't too horrible, so this is a good solution if you must have good security.

With regard to internet access, iptables and routing will prevent players from getting external access. You would, in essence, create a subnet on a network port that has all traffic blocked that tries to exit the subnet. This will prevent players from turning your server into their own private ISP/router.

Finally, Windows should be smart enough to route packets to the appropriate network. What this means in practice is that any packets destined for your game server will travel down the VPN pipe, everything else will go out the "regular" connection. So if you set this up correctly, and your players have the correct setup, it won't matter.

To keep things simple, I would recommend the PPTP version of things, tighten up your security a little bit, and simply keep an eye on the access logs. You may want to incorporate a custom fail2ban script so that dictionary attacks against PPTP will result in a lock-out.

Avery Payne

Posted 2014-06-15T08:54:21.167

Reputation: 2 371

So just to make it clear, if I block access to internet services on the VPN machine (via iptables), Windows should then route internet services via the users' own internet connection? – AStopher – 2014-06-19T07:48:14.827

No, the firewall rules are there to prevent traffic from "bleeding out" once it arrived on the Linux side. Any routing issues would be addressed on the Windows side, not the Linux side. – Avery Payne – 2014-07-02T19:25:38.003

So i would use tunggle because it's very stable and easy to setup. You can also setup private networks. Check it out at http://www.tunngle.net

Arsalan

Posted 2014-06-15T08:54:21.167

Reputation: 11

Can Tunngle route specific traffic to/from the VPN, whilst forcing all other internet traffic through the users' own internet connection? – AStopher – 2014-06-19T07:49:14.800

Well by that do you mean forcing a signal application though the VPN? If so yes in tunggle you can select which application you want to run through the VPN/private network. – Arsalan – 2014-06-19T08:00:44.483

I recommend using OpenVPN. There is an option called "redirect-gateway" in the client configuration which, if enabled, will redirect traffic from the client though your VPN. You obviously would not want this option in the OpenVPN configurations your clients have. Server-side, you could use "iptables" to prevent clients from accessing the internet though your the VPN. This link link contains information for how to configure OpenVPN and in the section labeled "Configuring client-specific rules and access policies" it guides you though giving your users limited network access. In your class you would want to probably drop by default and forward packets only to the Crysis servers.

Solitz

Posted 2014-06-15T08:54:21.167

Reputation: 766

Interesting, but wouldn't this action mean that no internet resources can be accessed when connected to the VPN? – AStopher – 2014-06-19T07:53:13.390

1No. If redirect-gateway is not enabled the users' internet traffic is not going to be routed through your VPN. – Solitz – 2014-06-19T10:38:24.090

I understand that the VPN is housed on Linux and Crysis on Windows. Therefore all VPN communication goes through the Linux server.

You could set the firewall to allow on the IP segment of the VPN only outgoing connections to the Windows server, so no connection to the Internet is possible on the VPN.

harrymc

Posted 2014-06-15T08:54:21.167

Reputation: 306 093

-1

If you're on linux and use openVPN, VPNShift works beautifully.

thouliha

Posted 2014-06-15T08:54:21.167

Reputation: 193

Please do not post the same answer to multiple questions. If the same information really answers both questions, then one question (usually the newer one) should be closed as a duplicate of the other. You can indicate this by voting to close it as a duplicate or, if you don't have enough reputation for that, raise a flag to indicate that it's a duplicate. Otherwise tailor your answer to this question and don't just paste the same answer in multiple places.

– DavidPostill – 2018-07-12T17:21:12.453

Please read How do I recommend software for some tips as to how you should go about recommending software. You should provide at least a link, some additional information about the software itself, and how it can be used to solve the problem in the question.

– DavidPostill – 2018-07-12T18:02:50.273