>If i choose "enable all" for both the NordVPN client and service executables, it does work as expected. However, I was trying to be a little more restrictive and not give the app cart blanc online access. But if that's what I need to do, so be it.
Actually you can avoid using EnableAll and set a more restrictive permission.
It could be hardly a predefined rule, as WxFC is not aware of every VPN could be used, so you will have to create a custom rule/zone.
Most probably VPN client and (local) services will need locahost (127.0.0.1) accessibility,
DNS and DHCP related access and the main access to the related VPN server.
So you will have to create a new zone, add localhost, DNS, and DHCP rules (using the repository) and add an enabling (per-IP or per-name) rule for the VPN server.
What is the VPN servers’s IP/name? We have no any related information unfortunately.
But the information can be obtained easily.
When you add localhost, DNS, DHCP rules only, apply the zone to the VPN client part (all the related programs) and try to connect, you will be blocked. The blocked event will show you the required name/address, you will just have to add the address to the zone.
If the IP is mutable you will have to make some iterations, but anyway a more restrictive zone is definitely possible.
Needless to say that the above may be a bit redundant.
Imagine if a program (VPN client for instance) never tries to access a server, there would be hardly a sense to block a connection that will be never established. So maybe using EnableAll for the VPN client is safe enough as well.
>Thanks for the right-click explanation, I was always choosing "edit" and got frustrated when I couldn't cut and paste the URL and port.
The feature is scheduled, but the implementation is delayed unfortunately.
The main reason is per-IP rules are strict and unambiguous always.
Per-name settings may be not too obvious, so any related automation may not give expected results right away.