Restricting uTorrent to VPN interfaces (Part 1)

Table of Contents

Introduction
A word of warning
Firewall rules
Connection profiles
Firewall concept
The Windows Firewall Management Console
Preparations
Getting started
Block uTorrent connections inbound and outbound
Limit the scope of blocked connections
Allow uTorrent connections inbound and outbound
Limit the scope of allowed connections
Summary

Introduction  

This howto describes setting up the Windows Firewall to limit uTorrent to access the Internet via VPN interfaces only. Windows 7 is used as the underlying Operating System, the configuration should be identical with Windows Vista.

Although Windows XP also includes the Windows Firewall since the release of Service Pack 2, it is not possible to apply this howto to Windows XP. The firewall on Windows XP does not support the configuration of outbound rules.

A word of warning  

It is very easy to break your Internet connection when configuring firewall rules, so be careful.

Firewall rules  

Firewall rules allow or deny communication to or from a network. The rules controlling traffic that comes in on an interface are called inbound rules. For the opposite direction, these rules are called outbound rules.

Depending on the type of firewall, a rule defines parameters that describe the kind of traffic they are being triggered on, e.g. a single IP or IP ranges, TCP or UDP ports or the application they should be bound to.

Connection profiles  

In Windows, there are different connection profiles defined that describe the environment a certain computer is connected to. Windows differentiates between LAN, Wireless, and Remote Access networks.

LAN
Local Area Network, the network a computer is directly connected to.
Wireless
Wireless network, the network a computer is connected to wirelessly.
Remote Access
Remote access networks are those where you need to dial into on demand, e.g. corporate networks or provider networks. They are also called Virtual Private Networks (VPN).

Firewall concept  

Define what you want to do. You want to allow uTorrent to only work via a VPN interface.

The difference between a VPN interface connected to IPredator and a regular local network interface is that they have different IP addresses assigned. While private IPv4 addresses are used for your local network interface conforming to RFC1918, IPredator provides you with a public IP address.

You have a machine which is connected to your local network using your router to access the Internet. Every time this machine needs to access resources outside the local network, e.g. hosts on the Internet, it sends these requests to the default gateway. Such requests have a private source IP address.

After successfully connecting to our VPN service, your machine gets assigned a public IP address and the default gateway gets changed. Because your originally local machine now has a public IP address, it is able to communicate to hosts on the Internet directly. It uses the public IP address assigned from IPredator as its source address for every request.

If the VPN connection terminates, the default gateway gets reverted to its original state and points to your local router again. With the change of your default gateway, your local machine cannot send requests to the Internet directly anymore. It needs to forward them to your router and use its private source IP address for these requests again.

If you want to restrict uTorrent to VPN interfaces only, you need to deny connections on the local network so uTorrent cannot make use of your router to access the Internet. Only when the VPN connection is up and uTorrent is able to reach the Internet directly, it is allowed to send requests.

In a Windows Firewall configuration, this translates to a total of four rules. You need to specify inbound and outbound rules separately.

  • Block uTorrent connections inbound with a local source IP address
  • Block uTorrent connections outbound with a local source IP address
  • Allow uTorrent connections inbound with public source IP address from the IPredator's range
  • Allow uTorrent connections outbound with a public source IP address from the IPredator's range

To define these rules, you need to know the IP address ranges used in local private networks. In RFC1918 they are specified as:

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16

The public IP address range IPredator uses is 46.246.32.0/19.

The Windows Firewall Management Console  

The Windows Firewall Management Console allows you to define firewall rules. It can be started through opening the Start menu, entering wf.msc in the search field and selecting wf.msc from the Programs list.

wfmsc_01.png

The management interface of the Windows Firewall appears. It is divided into three main panes.

Context selector pane (1)
Here you select the context to work in, e.g. Inbound or Outbound Rules.
Content pane (2)
The content to alter inside a certain context, e.g. the rules active for the Inbound or Outbound Rules context.
Action pane (3)
Here are the actions listed that can be performed with the content, e.g. adding or removing rules or changing their Properties.
wfmsc_02.png

Preparations  

The uTorrent installer added two rules to the Windows Firewall. They allow uTorrent to communicate on every interface. These rules need to be removed.

On the left pane of the Windows Firewall Management Console, click on Inbound Rules.

wfutorrent_01.png

Select the two uTorrent related rules (TCP-In and UDP-In). Click Delete in the right pane.

wfutorrent_02.png

A dialog appears asking if you want to delete the selected rules. Click Yes.

wfutorrent_03.png

Getting started  

So far for the introductory part. You should now be familiar with the very basic components of the Windows Firewall. Time to get your fingers dirty!

The following proceeding is split into two parts: