Block Windows Internet Access (Allow LAN & VPN)

TL;DR

This guide shows you how to block all internet access for Windows system processes except those using your Local Area Network (LAN) and Virtual Private Network (VPN) connections. This is useful for preventing unwanted updates or telemetry while still allowing local network resources and secure remote access.

Solution Guide

1. Identify Your Network Profiles: Windows uses different profiles for different networks (Private, Public). You need to know which profile your current connection is using.

• Go to Settings > Network & Internet > Ethernet or Wi-Fi (depending on your connection type).
• Click on the connected network name.
• Look for the ‘Network Profile’ setting. It will say either ‘Private’ or ‘Public’.

Create Windows Firewall Rules for Private Networks: We’ll create rules to allow LAN traffic and block everything else.

• Open Windows Defender Firewall with Advanced Security (search in the Start menu).
• In the left pane, click on Outbound Rules.
• Click New Rule… in the right pane.
• Select Program and click Next.
• Select This program path: and browse to C:WindowsSystem32svchost.exe. Click Next. (This targets system processes.)
• Select Block the connection and click Next.
• Check all three profiles (Domain, Private, Public) and click Next.
• Give the rule a descriptive name like ‘Block System Outbound – All Profiles’ and click Finish.

Create Windows Firewall Rules for LAN Traffic on Private Networks: Allow traffic to your local network subnet.

• In Windows Defender Firewall with Advanced Security, click New Rule… again.
• Select Custom and click Next.
• On the ‘Program’ page, select All programs and click Next.
• On the ‘Protocol and Ports’ page, leave everything as default (Any) and click Next.
• On the ‘Scope’ page:
• For Remote IP address select These IP addresses:
• Enter your local network subnet in CIDR notation. For example, if your router’s IP is 192.168.1.1 and the subnet mask is 255.255.255.0, enter 192.168.1.0/24. (Find your network details using ipconfig in Command Prompt.)
• Click Next.
• Select Allow the connection and click Next.
• Check only Private and click Next.
• Name the rule ‘Allow LAN Outbound – Private’ and click Finish.

Create Windows Firewall Rules for VPN Traffic on Public Networks: Allow traffic when connected to a VPN. This is more complex as it depends on your VPN adapter name.

• Open Windows Defender Firewall with Advanced Security.
• Click New Rule… again.
• Select Custom and click Next.
• On the ‘Program’ page, select All programs and click Next.
• On the ‘Protocol and Ports’ page, leave everything as default (Any) and click Next.
• On the ‘Scope’ page:
• For Remote IP address select These IP addresses:
• Enter your VPN server’s IP address or subnet in CIDR notation (check your VPN provider documentation). If you don’t know it, leave this as ‘Any’.
• Click Next.
• Select Allow the connection and click Next.
• Check only Public and click Next.
• Name the rule ‘Allow VPN Outbound – Public’ and click Finish.

Verify the Rules: Ensure the rules are enabled and in the correct order. The ‘Block System Outbound’ rule should be at the top of the list for all profiles, followed by the LAN/VPN allow rules for their respective profiles. You can drag and drop to reorder them.

Test Your Connection: Disconnect from your network (or switch to Public profile) and verify that internet access is blocked for system processes but LAN resources are still accessible. Connect to your VPN and confirm it works as expected.