In order for a VPN software to work properly, it needs to have full access to networking since it has to be able to add and remove routes. If the VPN software provides additional firewall/dns leak protection, like the Perfect Privacy VPN Manager, it will also need to have full access to the Windows Firewall: To prevent IP or DNS leaks it is necessary to add corresponding firewall rules. Additionally, firewall rules are needed to ensure that traffic can only be sent through the encrypted VPN tunnel.
Third party firewall conflicts with VPN firewall
This functionality of VPN software is often in conflict with personal firewalls and other security software from third party vendors. Such programs usually take control over the Windows Firewall. You can easily check if that is the case by opening the Windows Firewall: If you see a yellow highlighted note that says “These settings are being managed by vendor application XXX”, then the Windows Firewall is controlled by a third party program.
If that is the case, you should assume that the firewall and dns leak protection in the VPN Manager will not be working. However, depending on the security software it may be possible to work around this: For instance, with Kaspersky Internet Security 2017 you can deactivate the firewall functionality (this was not possible with the 2016 version). That doesn’t mean that the firewall is off, it just means that the Windows operating system has control over the firewall rules again.
Manual firewall test
With a simple test you can check whether the firewall and dns leak protection of the Perfect Privacy VPN Manager is working properly: Start the VPN Manager without connecting to a server. Now go to “Settings” -> “Firewall and DNS” and set the firewall and dns leak protection to “Activate while program is active”. This will ensure that traffic can only be sent over a VPN tunnel. Since no VPN connection was established, internet connections should not be possible as long as the VPN Manager is running. But if the Windows Firewall is controlled by third party software, this will circumvent this restriction. To test this, leave the Settings and open a command line window (press Windows key + R, then type in “cmd”). In the terminal window running the following commands:
ping 188.8.131.52 ping google.com
Both tests should not not receive any packets. The first command checks the firewall protection, the second command verifies the dns leak protection. If any of those ping packets come through, the leak protection is not working.
As mentioned before, some security programs allow you to release the firewall control back to Windows. Among these are Kaspersky Internet Security 2017, McAfee and ESET Smart security. Other security software does not (yet) have this option, like Norton Internet Security and Bitdefender.
Generally we do not recommend using any third party software that takes control over the firewall since this gives no additional benefit over using the Windows Firewall and also because it is often in conflict with other programs.
If you are using security software which allows to disable the firewall functionality, you should do that in order for the leak protection to work properly. After you have deactivated the firewall contol in the software, open the Windows Firewall and click on “restore defaults”. After that, the above mentioned ping tests should confirm that the leak protection is working again.