How to safeguard PPTP connection - Windows 7?

This can be achieved by configuring a firewall to allow only connections to the VPN provider's IP and/or the TCP port 1723 and the UDP port 47.

If you're using several VPN providers, port-based blocking is easier. If not, IP-based blocking is more secure. In any case, you can use both.

For example, you can configure Windows Firewall to do this:

1. Let's assume you're using superfreevpn.com (69.60.121.29).

2. Connect to the Internet and your VPN.

3. Press Win + R and execute control /name Microsoft.NetworkandSharingCenter.

4. In View your active connections, click the link Home/Work/Public Network below your Internet connection and choose Public network.

5. In View your active connections, click the link Home/Work/Public Network below your VPN connection and choose Work network.

6. Press Win + R and execute WF.msc.

7. In Windows Firewall with Advanced Security on Local Computer, click Action, then Properties, go to the Private Profile tab and set the following:

   Firewall state:        On (recommended)
   Inbound connections:   Block all connections
   Outbound connnections: Allow (default)
   

8. Port-based

   • In Outbound Rules, click Action, then New Rule... and select the following:

     Port
     TCP
        Specific remote ports: 1-1722, 1724-65535
     Block the connection
     Public
     Public TCP
     

   • In Outbound Rules, click Action, then New Rule... and select the following:

     Port
     UDP 
         Specific remote ports: 1-46, 48-65535
     Block the connection
     Public
     UDP
     

   IP-based

   • In Outbound Rules, click Action, then New Rule... and select the following:

     Custom
     All programs
     Any
     Any IP address
     These IP adresses
         Add
             This IP address range -> From: 0.0.0.0      To: 69.60.121.28
         Add
             This IP address range -> From: 69.60.121.30 To: 255.255.255.255
     Block the connection
     Public
     Non-VPN
     

9. Since we've blocked all non-VPN DNS queries now, superfreevpn.com won't get resolved.

   Either modify your VPN connection by replacing the hostname by its IP, or add the following line to %windir%\system32\drivers\etc\hosts:

   69.60.121.29    superfreevpn.com
   

Loosely adapted from How to configure firewall such that when VPN disconnects, all browsing stops.

A slight addition to the excellent answer by Dennis: if your Internet connection is configured to use DHCP (as most are) you will not be able to get an IP address unless you exclude the DHCP server address and the broadcast address 255.255.255.255.

Run ipconfig /all (while DHCP still works) to find the address of your DHCP server. Let's say it's 192.168.2.1 and the VPN server is 69.60.121.29, as in Dennis's example. You would then configure blocking for the following IP ranges:

From 0.0.0.0      to 69.60.121.28
From 69.60.121.30 to 192.168.1.255
From 192.168.2.2  to 255.255.255.254

As a temporary workaround you could also disable the outbound firewall rule that blocks everything. That's handy if you've already "lost" your IP address and don't know the address of your DHCP server.

(Credit to Marcks Thomas for the original answer. I'm just adding it to this question in case other users run into the same problem.)

Another, unrelated addition: it may be a good idea to disable network discovery and file and printer sharing for Home/Work networks if you follow the steps above, given that you've configured the entire Internet as your "Work" network. You can do this under Network and Sharing Centre, Change advanced sharing settings.