VPN only for a single program

Question

I'm creating a new VPN service, to enable players of the Crysis 1, Crysis Wars, and Crysis 2 games to continue playing after the online multiplayer is shut down at the end of this month.

The purpose of this VPN service is to provide a private LAN, where players can connect to the VPN and view the LAN server list to connect to servers (servers obviously have to be connected to the VPN also).

This is where the problem lies; I only want the VPN server to support this server network, and not allow people access to the internet. This is because if they download torrents, watch video, etc, it will make the VPN server slow. Obviously I can just block all access to the web, but unfortunately most players like to browse the internet, play music on YouTube, etc, while playing.

Is it possible on Windows to only allow the games and servers to use the VPN, while forcing users to bypass the VPN for other internet communication? Is there some Windows Firewall rule that can be applied to create this behaviour? I only want the gameservers and games to use the VPN server.

If this isn't possible, is it possible programmatically? C++ and Lua can only be used for this.

The VPN is on Linux.

Answer 1

You have two easy approaches for this: Microsoft's horribly insecure PPTP and OpenVPN.

PPTP is built-in to Windows, and doesn't require a download for your players. The catch is that the data exchanged will not be secure - a dedicated attacker will be able to break into the data streams because there are flaws in the encryption used by PPTP. Since this is a gaming service with little to loose (other than a few multiplayer matches) this might be an acceptable risk, but you're not entirely clear about how all of the components fit together, and what is "acceptable". You will want to install the pptpd service on your linux box and configure it from there. Once installed, it will accept connections from anyone that has the correct username/password pair.

OpenVPN is a bit more heavy-weight but will provide full security. It can be independently downloaded and installed. The setup of this service is outside the scope of the question - it is a bit involved. Suffice to say, it will not only require the download and installation of a client for your players, but possibly the exchange of a SSL certificate file as well. It will provide reasonable security and the latency isn't too horrible, so this is a good solution if you must have good security.

With regard to internet access, iptables and routing will prevent players from getting external access. You would, in essence, create a subnet on a network port that has all traffic blocked that tries to exit the subnet. This will prevent players from turning your server into their own private ISP/router.

Finally, Windows should be smart enough to route packets to the appropriate network. What this means in practice is that any packets destined for your game server will travel down the VPN pipe, everything else will go out the "regular" connection. So if you set this up correctly, and your players have the correct setup, it won't matter.

To keep things simple, I would recommend the PPTP version of things, tighten up your security a little bit, and simply keep an eye on the access logs. You may want to incorporate a custom fail2ban script so that dictionary attacks against PPTP will result in a lock-out.

Answer 2

I recommend using OpenVPN. There is an option called "redirect-gateway" in the client configuration which, if enabled, will redirect traffic from the client though your VPN. You obviously would not want this option in the OpenVPN configurations your clients have. Server-side, you could use "iptables" to prevent clients from accessing the internet though your the VPN. This link link contains information for how to configure OpenVPN and in the section labeled "Configuring client-specific rules and access policies" it guides you though giving your users limited network access. In your class you would want to probably drop by default and forward packets only to the Crysis servers.

Answer 3

So i would use tunggle because it's very stable and easy to setup. You can also setup private networks. Check it out at http://www.tunngle.net

Answer 4

If you're on linux and use openVPN, VPNShift works beautifully.

Answer 5

I understand that the VPN is housed on Linux and Crysis on Windows. Therefore all VPN communication goes through the Linux server.

You could set the firewall to allow on the IP segment of the VPN only outgoing connections to the Windows server, so no connection to the Internet is possible on the VPN.

You control the outgoing ports and so control which services are available via the VPN. Users wishing to use unavailable services will need to use the Internet directly rather than via your VPN. This is possible for them by manipulating their route tables.

Answer 6

The solution to this is found here. It is possible to have an installer, which modifies the firewall rules to accomplish this.

Connect to your VPN as you normally would.

Open the Network and Sharing Center - right-click on the Internet connection icon in the taskbar and choose "Open Network and Sharing Center" (see below)

You should see (at least) two networks listed under "View Your Active Networks" - your VPN connection and one called "Network" - a.k.a. your ISP Connection. Ensure that your VPN is a "Public Network", and your ISP connection is "Home Network". If you need to change either connection, click it and an option window will appear (see below).

Go to the Control Panel and click System and Security (see below).

In the resulting window, click Windows Firewall (see below).

In the Windows Firewall window, click Advanced Settings on the left pane (see below). Note: You must be logged in as an Adminstrator to make changes to the Firewall Settings.

You should see a window titled Windows Firewall with Advanced Security. In this window, click Inbound Rules (see below).

On the right pane, you will see an option for a New Rule. Click it (see below).

In the New Inbound Rule Wizard (which should appear), do the following:

Choose Program and click Next.

Choose the program you wish to block all traffic to except on the VPN connection, and click next.

Choose Block the Connection.

Tick Domain and Private. Make sure Public is left unticked.

Repeat Step 9 for Outbound Rules.