While Windows XP allowed granular firewall control per network interface through simple netsh commands, Windows 7 introduced significant architectural changes to the Windows Firewall subsystem. The transition from binary "domain/non-domain" profiles to "domain/private/public" created complications for VPN scenarios where we need selective firewall behavior.
When OpenVPN creates a TAP adapter interface, Windows 7 applies the most restrictive firewall profile between the physical network (typically "public") and VPN network ("domain"). This results in blocked inbound connections even when users establish VPN tunnels back to corporate networks.
Here's a complete PowerShell script that implements interface-specific firewall rules for OpenVPN:
# First identify your OpenVPN interface index
$vpnInterface = Get-NetAdapter | Where-Object {$_.InterfaceDescription -like "*TAP*"} | Select-Object -ExpandProperty ifIndex
# Create custom firewall rules for the VPN interface
New-NetFirewallRule -DisplayName "Allow All on VPN Interface" -Direction Inbound -Action Allow -InterfaceIndex $vpnInterface
New-NetFirewallRule -DisplayName "Allow All Out on VPN Interface" -Direction Outbound -Action Allow -InterfaceIndex $vpnInterface
# Optionally block other interfaces if needed
Get-NetAdapter | Where-Object {$_.ifIndex -ne $vpnInterface} | ForEach-Object {
New-NetFirewallRule -DisplayName "Block Non-VPN Interface $($_.Name)" -Direction Inbound -Action Block -InterfaceIndex $_.ifIndex
}
For enterprise deployment:
- Package this as a logon script that runs after VPN connection
- Include interface validation logic to handle cases where TAP adapter isn't present
- Consider combining with Group Policy Preferences for centralized management
For more advanced scenarios, you can manipulate the Windows Filtering Platform (WFP) directly:
# Requires admin privileges
$guid = [guid]::NewGuid()
$layerGuid = "dcb699e0-14d0-4e3a-8a6e-1cb6c3e8e1a0" # FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
# Create a temporary filter that allows all traffic on the VPN interface
Add-WfpFilter -DisplayName "VPN Passthrough" -LayerKey $layerGuid -Action Permit -Weight 1000 -Condition @(
New-WfpCondition -FieldKey "FWPM_CONDITION_INTERFACE_INDEX" -MatchEqual $vpnInterface
) -Guid $guid
In Windows XP environments, we could easily disable the firewall on specific interfaces using simple netsh commands. This was particularly useful for OpenVPN scenarios where we needed bi-directional access while maintaining security on other interfaces. However, Windows 7 introduced a more complex firewall profile system (Domain, Private, Public) that doesn't directly support per-interface firewall control through the GUI.
Windows 7's firewall operates with three network location profiles:
- Domain: When connected to a domain controller
- Private: Home or work networks
- Public: Untrusted networks (hotels, cafes, etc.)
The main limitation is that firewall rules apply to all interfaces in a given profile, preventing the per-interface control we had in XP.
While we can't completely disable the firewall on a single interface in Windows 7 like we could in XP, we can create rules that effectively achieve the same result by allowing all traffic on the VPN interface while maintaining protection on others.
Step 1: Identify Your VPN Interface
First, determine the exact name of your OpenVPN interface:
netsh interface show interfaceLook for an interface named something like "OpenVPN TAP-Windows6" or similar.
Step 2: Create Allow-All Rules for the VPN Interface
Create inbound and outbound rules that allow all traffic on the VPN interface:
netsh advfirewall firewall add rule name="OpenVPN Full Access Inbound" dir=in action=allow interface="OpenVPN TAP-Windows6"
netsh advfirewall firewall add rule name="OpenVPN Full Access Outbound" dir=out action=allow interface="OpenVPN TAP-Windows6"Step 3: Create a Script for Deployment
For enterprise deployment, create a batch script (disable_vpn_firewall.bat):
@echo off
:: Script to disable firewall restrictions on OpenVPN interface
:: Replace "OpenVPN TAP-Windows6" with your actual interface name
netsh advfirewall firewall add rule name="OpenVPN Full Access Inbound" dir=in action=allow interface="OpenVPN TAP-Windows6"
netsh advfirewall firewall add rule name="OpenVPN Full Access Outbound" dir=out action=allow interface="OpenVPN TAP-Windows6"
echo Firewall rules for OpenVPN interface have been configured successfully.
pauseAfter applying these rules, verify them with:
netsh advfirewall firewall show rule name=allTest connectivity through the VPN interface while ensuring other interfaces remain protected.
For more modern environments, you might prefer a PowerShell solution:
# OpenVPN Firewall Configuration Script
$vpnInterface = "OpenVPN TAP-Windows6"
New-NetFirewallRule -DisplayName "OpenVPN Full Access Inbound" -Direction Inbound -Action Allow -InterfaceAlias $vpnInterface
New-NetFirewallRule -DisplayName "OpenVPN Full Access Outbound" -Direction Outbound -Action Allow -InterfaceAlias $vpnInterface
Write-Host "Firewall rules for $vpnInterface have been configured."While this solution provides the functionality you need, be aware that:
- The VPN interface will have no firewall protection
- Ensure your VPN provides adequate encryption and security
- Regularly audit these rules in your environment
- Consider combining with Connection Security Rules for additional protection
For domain environments, you can deploy these settings through Group Policy Preferences:
- Create a new GPO
- Navigate to Computer Configuration > Preferences > Windows Settings > Files
- Add your script and configure it to run at startup/login
- Alternatively, use the built-in firewall policy settings