Page 1 of 1
how to block vpn
Posted: Sun Apr 09, 2017 10:11 pm
by chenashop
there is an free extension in google chorme betternet free vpn which made bypassing any kind of content filtering unbelievably easy . i tried all kind of port blocking, gre blocking to block this kind of vpn , but no success .
any idea .. ?
TIA
Re: how to block vpn
Posted: Sun Apr 09, 2017 10:18 pm
by msatter
OpenVPN can connect over port 80 or 443 so blocking them is almost impossible.
You can only look to which IP addresses they go and block those.
Re: how to block vpn
Posted: Mon Apr 10, 2017 3:23 am
by shaoranrch
there is an free extension in google chorme betternet free vpn which made bypassing any kind of content filtering unbelievably easy . i tried all kind of port blocking, gre blocking to block this kind of vpn , but no success .
any idea .. ?
TIA
Unfortunately there's no easy solution for this nor a solution that fixes everything. VPNs like OpenVPN for instance can bypass port blocking because you can choose what port to use and even the protocol.
If this is an enterprise where you've got control over the devices the employees use try:
- 1.- Using a UTM/NGFW, these devices can do deep packet inspection and detect app signatures so they can block these
2.- Use a web proxy and block any kind of access to the internet not passing via it, make the proxy work with HTTPS and block anything not allowed
3.- Block any port to any IP that has not been previously allowed by internal security policies
4.- Block devices usage of extensions on web browser
5.- Make computer firewall block DNS requests to non-allowed DNS servers, you can do it as well in a network wide policy via firewall, use a service like OpenDNS
Points 1 and 2 requires the use of a domain service and GPOs to make devices trust forged certificates for SSL/TLS connections, point 4 and 5 requieres GPO to lock the computer's functions
I'm quite sure there are a lot of other things you've gotta do, as mentioned, this is not an easy task nor one that can be achieved doing just a few commands over a single device.
Re: how to block vpn
Posted: Thu May 25, 2017 2:26 pm
by r4z0r84
I came up with a solution today that sounded absolutely insane but it works with iPads as they can only select a single vpn service.
First you setup a secondary gateway with no internet access, give this server an iis/apache server "only hosts vpn profile" setup a qr code for people to scan,
filter/block the devices mac address from registering in dhcp so that you can give access to only this new secondary gateway
setup a wireless profile with static ip address set and above gateway, dns server as gateway as well.
setup local vpn service to allow users to connect to the "real" network,
require them to install the vpn service profile from the apache server to gain access to the internet.
if they turn vpn off, no internet
if they turn it to auto config from static, no internet (due to dhcp)
if they turn on another vpn, no internet due to no dhcp or real vpn connection to the real network.
iPad>fake gateway>vpn>real gateway>proxy server>internet.
with the above set in place its impossible for them to use any another vpn, you may also need to poison your dns for well known offenders.
Re: how to block vpn
Posted: Wed May 09, 2018 3:39 pm
by aadi
dear r4z0r84
Please Guide this setup with detail if possible with images plz
thanks
Re: how to block vpn
Posted: Fri May 11, 2018 6:17 pm
by aadi
dear r4z0r84
plz make video this setting and share plz i really need it
Re: how to block vpn
Posted: Fri May 11, 2018 7:36 pm
by MangleRule
dear r4z0r84
plz make video this setting and share plz i really need it
What is the purpose of blocking the VPNs? What is suggested above is a terrible idea! Even if you force every client to use your VPN to get primary access, someone can just run a VPN tunnel inside of that tunnel and you are back to square one. You are introducing so much complexity when it doesn't improve security and it makes network performance worse because most VPN technologies impact your MTU and with encryption it will use more resources on the router.
Re: how to block vpn
Posted: Thu May 17, 2018 12:51 pm
by aadi
dear r4z0r84
plz make video this setting and share plz i really need it
What is the purpose of blocking the VPNs? What is suggested above is a terrible idea! Even if you force every client to use your VPN to get primary access, someone can just run a VPN tunnel inside of that tunnel and you are back to square one. You are introducing so much complexity when it doesn't improve security and it makes network performance worse because most VPN technologies impact your MTU and with encryption it will use more resources on the router.
soo plz advice me what can i do for these type of extensions