# Windows – How to ensure Internet access is only via VPN

ipnetworkingroutingvpnwindows 7

I have a Windows 7 machine with a regular wired Internet connection, configured via DHCP. It has a VPN connection set up. How can I ensure that Internet access is allowed only over the VPN? That is, before the VPN is connected I want there to be no access to the Internet (except to the VPN server). If it disconnects or fails for any reason I want there to be no access as well.

I've already read the guides on this and there seem to be basically 4 answers, none of which work reliably for me:

1) Run some software that detects when the VPN disconnects and block Internet access. I don't want to rely on this, even if it mainly works. I want a "secure by default" solution.

2) Remove the default route that goes via the real gateway. This almost works, except that sometimes (not all the time) when the VPN disconnects that default route has magically re-appeared. Perhaps it happens during a DHCP refresh, I'm not sure.

3) Add a fake default route that goes via a non-existent gateway, with a lower metric than the real default route. This didn't work for me. The route is added, but before I connect to the VPN I still have Internet access. route print shows this:

Network Destination        Netmask          Gateway       Interface  Metric
0.0.0.0          0.0.0.0          1.2.3.1        1.2.3.123    276
0.0.0.0          0.0.0.0  192.168.198.250    192.168.198.1     22


where 1.2.3.1 stands for my real gateway and 192.168.198.250 is a fake gateway on a VMware adapter. It uses the real gateway even though the fake metric is lower. I've also tried adding a fake gateway on the real network, but its metric always ends up higher – the "metric" parameter of route add seems to be relative to the interface metric.

4) Firewall. Might be a viable option, but http://www.purevpn.com/win7-firewall.php says

Note: Torrents programs are an exception to this – For torrents this
method is only 99% effective leaving 1% chance of data leak.

I'm not sure why that is and the page doesn't give details, but it's a bit worrying.