[j_s]

Can you point to a writeup of how to do this?

The only step beyond this that I have seen is a recommendation to use OpenBSD as a firewall in a virtual machine.

[mirimir]

No, sorry. I used to know a URL, but ... And most of your search hits will feature application-level blocking, which seems silly to me. Also, I don't use Windows much anymore. And I've forgotten the specifics.

But. It's basically what I described. For public VPN network, just use the default (all output, only established input). For private LAN, deny all output and input, and allow output to selected IP addresses (VPN and DNS servers).

[j_s]

Thanks for taking the time to reply. It seems like this would be worth a write-up!

Perhaps something like this can be scripted; if it becomes polished enough it could be recommended as a part of every VPN setup.