@shkiber said in Hello, there is a problem with vpn clients:
I recently restricted access to certain platforms.
Through pfBlockerNG, but I noticed another thing, some employees come with laptops on which third-party vpn clients are installed.
Tell me if it's not difficult how you can limit the work of third-party vpn clients on local hosts through pfesense
Unfortunately there is not :-(
Modern day VPN connections are chameleons as they can use a number of different ways to connect - most disguising themselves to look like regular https traffic or using non standard destination ports. - they also leverage several different protocols like ESP, TCP and UDP.
Unfortunately there is no pfBlockerNG feed available that lists all known commercial VPN or “escape” proxy providers out there, as that could help quite a lot (by banning access to those IPs).
So unless you turn your Firewall policy around and block everything - except destinations and traffic you allow, this will be a battle you cannot win.
NOTE: There is the option of configuring man-in-the-middle HTTPS proxying on your box and ban most/all ESP, UDP and non-standard TCP outbound connections, but this is at best a MAJOR up hill struggle and requires a lot of work/maintenance.