[mirimir]

It's better to use Windows Firewall, because blocking is virtually instant. Basically, you set LAN as a private network, and the VPN as a public network. For LAN, you allow connections only to the VPN server(s) that you use, plus a DNS server that's not associated with your ISP. You can also allow connections to other LAN devices, if you like. For the VPN, you allow all output, but only input for established connections.

[j_s]

Can you point to a writeup of how to do this?

The only step beyond this that I have seen is a recommendation to use OpenBSD as a firewall in a virtual machine.

[mirimir]

No, sorry. I used to know a URL, but ... And most of your search hits will feature application-level blocking, which seems silly to me. Also, I don't use Windows much anymore. And I've forgotten the specifics.

But. It's basically what I described. For public VPN network, just use the default (all output, only established input). For private LAN, deny all output and input, and allow output to selected IP addresses (VPN and DNS servers).

[j_s]

Thanks for taking the time to reply. It seems like this would be worth a write-up!

Perhaps something like this can be scripted; if it becomes polished enough it could be recommended as a part of every VPN setup.

[tacon]

Interesting feature of Windows firewall, thanks. As the AirVPN client connects, it checks several hundred servers for the lightest load, so for that default behavior, I don't know which IPs to configure locally.

[mirimir]

Well, the AirVPN client in Windows has its own firewall, which I didn't manage to make leak.