VPN tunnels use their own network adapter interfaces with their own local IP addresses. What to do when VPN adapter IP is same as local IP for someone on the same physical local network? For example, VPN app may force its TAP/TUN adapter to use static local IP of 10.10.10.10, but a network can have a physical local client with the same IP of 10.10.10.10. I create per-interface rules on my machines, but that only works when my local IP is different from VPN adapter IP. How can I create per-interface rules when my real local IP = VPN adapter IP? Normally, a workaround would be just to change local IP, but I am in a situation where both local IP and VPN adapter IP are static and identical... I can easily navigate around a similar situation in Linux because its basic Netfilter tools allow per-interface rules, per-interface IP binding, MAC binding, and Linux kernel can enforce ARP filtering, return path filtering, etc. I am sure Windows Base Filtering Engine is quite capable of doing the same, but Windows Firewall doesn't seem to provide features similar to that of Linux Netfilter.