Prevent users from disconnecting AOVPN user tunnel

Peter HollandI know I'm providing support for someone who doesn't understand any of these topics. So I did actually give you replies, but for some reason they didn't show up lmao. I wrote some examples for you. I'm going to post them again, with PowerShell examples. I saved them, just in case nothing worked out. It's very generic, so read it at your own leisure:

Routers allow you to create VLANs where you can partition each device on the network. Obviously if you're worried about a client not being able to see a LAN address, then of course you could enable that network service, but block all the rest, so the client is forced to tunnel through the VPN to get to a WAN address ( all incoming connections MUST be blocked. ) The most basic service configuration has Unicast DNS ( UDP 53, ) Multicast DNS / mDNS ( UDP 5353, ) HTTP ( TCP 80, ) HTTPS / SSL / TLS 1.3+ ( TCP 443, ) and maybe WireGuard ( UDP 51820. ) In a rare situation, it would be UDP 123 for NTS / NTP ( Network Time Security / Network Time Protocol. ) Often you can tunnel almost any other service, including NTP, over the VPN, other than using DNS to bootstrap a DNS Stub Resolver, which in turn feeds a DNS server. In actuality, you could block all outgoing connections that don't utilize WireGuard ( UDP port 51820, ) and it would still work, although it will fail if the timestamps are inaccurate, or the system clock is not up to date. This is for the router though, not the operating system's firewall. You could even use a 3rd-party service to update the system clock if you're REALLY worried about security. Don't try to offload EVERYTHING to a software firewall, unless you want really high latency, and high power usage. That is a really big mistake. Even if you have interrupt moderation enabled for the network adapter, tons of receive buffers, and a decent multi-core CPU, it won't be anywhere near as fast as the ASIC / ASSP ( in this case a form of applications processor that has hard-IP blocks specifically made for encryption ) that comes with the VPN Router. A CPU is a general purpose processor, and will always be slower and less efficient at this task ( networking 101. )

Most commercial-grade entry-level SOHO routers have VPN support, and VPN passthrough, which is above and beyond the speed of any desktop computer you have. The method you have chosen ensures maximum lag for anyone on your network, if you were wondering. Nobody does that. You have to see the VPN is just an extra layer, a virtual one at that, in which packets / traffic are encapsulated over / through, and they traverse this one layer, to reach this specific endpoint. All you're doing is tunneling traffic from the router to the VPN server, which is treated much like an exit node. So while it still uses the service provider's network, the exit node in this sense will not be the router, but the VPN server. Split tunneling just removes that layer for one particular program or service. You could actually change the firewall rules to unblock certain services, and add an extra VLAN that has another DNS server and HTTPS port that bypasses the VPN, if you are that worried. You could even change the service configuration to assign it a fixed IP address based on the port, or a certain range, and assign that one particular range to another VLAN, which of course uses up memory to do this ( VLAN partitioning, a feature based on the concept of Software Defined Networking / Network Virtualization. ) The operating system settings could be bypassed, regardless of what you do, or if there is a BYOD policy, anyone can bypass it, so this is why the router is used to configure this and not the device itself. When you properly configure the VPN, the device is not even aware the traffic is being tunneled through the VPN, because the router handles it, and you can't change it no matter what you do. This is why people do this, and they don't do anything else. Any other solution doesn't work. People will use simple DNS workarounds to bypass it, and you will look like an amateur ( even a lot of teenagers know how to get around this. ) Most Public WiFi hotspots are set up like this btw, and they often have a captive portal as well. If you don't want to use a hardware router, you could use VyOS, or some other combination of software on Solaris 11,x, or another operating system ( lots of open source software routers / software appliances that can run in a container, docker image, or whatever it is you have in mind. )

NOTE: I would suggest looking at a certification like CompTIA's Network+, Security+, or even CCNP, MCSE, etc. Here are some more free resources to help: https://techcommunity.microsoft.com/t5/windows-deployment/educational-resources-for-systems-administration-servicing/m-p/3062844/highlight/true#M836

Here is another obvious thing most people do with VPNs. You might not like this idea as it sounds strange, but I assign a VLAN to every SINGLE device, and disable multicast ( it's to sandbox / partition every device on my local area network. ) The router's MAC address is used instead of the one on the device. When I close the connection, and those resources are freed from memory, nothing is left, and the configuration is actually way more simple ( less of a focus on randomly generating MAC addresses for client devices on the network. Of course some VPNs have features to block LAN addresses entirely, or network probing / port scans from other devices, but that's not the same as this. I already hardened my network stack, so it does this from the very beginning. That's a separate concept. ) It's way more secure, but it uses up more memory if you have a lot of services going, almost 50MB per device, which is a lot for an older VPN router. It sounds like something straight out of the early 1990s, but I have so much filtering that all incoming ports are blocked, all outgoing ports are blocked except the most basic things needed for VPN / VPN Passthrough, which is practically ONE port, for the entire VLAN. When you have A LOT of sockets open, and ephemeral key encryption enabled, it slows down, almost overheats my router too. I don't notice any slowdowns, just because my router handles the service configuration ( not any of my devices. I have a very light software firewall setup going, just to schedule which types of programs I want to connect to the network, but that's it. ) Of course if you scale up to a branch router or a rackmount system with service-grade hardware, your power consumption goes way up ( not to mention the amount of heat that generates. That would be excessive for a very simplistic setup, like the one I have. ) You have to be very mindful of power draw, especially if you add a lot of devices to your network.

Windows Defender Firewall with Advanced Security Administration with Windows PowerShell -> https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell

Service overview and network port requirements for Windows -> https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements

Configure network infrastructure to support the NLB ( Network Load Balancing ) operation mode -> https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-network-to-support-nlb-operation-mode

Windows Admin Center -> https://www.microsoft.com/en-us/windows-server/windows-admin-center

This script blocks all traffic, as described in some of the documentation ( I use things like this to deal with programs that try to automatically enable rules for no good reason. )

@ECHO OFF
SETLOCAL
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Get-NetFirewallProfile | Set-NetFirewallProfile -Enabled True -DefaultInboundAction Block -DefaultOutboundAction Block -AllowUnicastResponseToMulticast False -NotifyOnListen True -EnableStealthModeForIPsec True}"
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Get-NetFirewallRule -Enabled True | Disable-NetFirewallRule}"
ENDLOCAL

Here's an example of a script that creates a firewall rule for the Windows Time Service:

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {New-NetFirewallRule -Action Allow -Direction Outbound -DisplayName 'Windows Time Service' -Profile Any -Protocol UDP -LocalPort 123 -RemotePort 123 -Service W32Time}"