Block vpn connection on port 443

DaddyGo

@dintzee

you welcome

Gertjan

More insight here : https://security.stackexchange.com/questions/229324/how-to-block-vpns-using-tcp-port-443

DaddyGo

@Gertjan

yes it is...

my opinion is that, pfBlockerNG is more elegant...
the question of the timeliness of lists arises, but there may be plenty of IPs (VPN , datacenter, etc.) change in the world... that is a fact.
(they invented "sysadmin" name, concepts to follow and/or solve this case)

I don't know what kind of workstations these are, but with group policy (win), a lot of things are available...

BTW: unless the VPN is installed in browsers by add-on(s)

dintzee

i can still connect to vpn with some apps tested i think i need something like detect connection vpn and close it

netblues

pfblockerng is fine, as long as there is a way to find vpn addresses from a list which gets updated.
Its impossible to have a list that can contain all vpn ip's .
A savvy user could even rent a vps somewhere and use that as a 443 vpn host. No list will ever find him.

So we are left with options that can detect protocol anomalies and report them. This means an ids/ips service.
suricata and snort are the available options.

At least in theory.

About a year ago I was trying to pass openvpn client traffic to a pfsense openvpn server.
The site was protected with a fortigate firewall.
No matter what port I used, fortigate would detect it was openvpn and block it as an anomaly.
Only after creating a specific allow rule on fortigate openvpn would work.
Didn't have time to investigate any further.
I would love to see how this can be done with suricata/snort :)

dintzee

yes true i need to try with snort with openappsid i think but on interface lan or wan ? !

dintzee

This post is deleted!

kiokoman

LAN, where the connection to the vpn is initiated

dintzee

still i can't block most vpn using port 443

Gertjan

And even if you can, you'll find out taht you can't block every VPN technology, whatever resources you throw at it. And with resources I mean : knowledge.

Keep in mind that the concept VPN should not be interchanged with "oh, it's OpenVPN" that is just a way of doing VPN. VPN can be set up using any a variety of solutions among encoding, encrypting, compressing etc.
Not everybody uses OpenVPN.

So, even if you manage to fake the VPN client, making it 'think' it is connecting to a it's addressed VPN server because 'you, on pfSense' can decode the SSL that was created using the public key of the VPN server (the server uses it's unknown private key to decode, a key you do not have) you have to take the next barrier : how do decompress, decrypt, the tunnelled data. The format of that data could be .... anything.

It's probably easier to filter for classic https web browser traffic, and let that pass, blocking the rest.
Still, you have to do the MITM job, by becoming, for example, a squid expert. Many tried this, and most didn't come back - did't report back, from that journey.

It all boils down to : if you want to share your Internet access, you can do so, but you really can't control what people actually do with that connection.

DaddyGo

@Gertjan said in Block vpn connection on port 443:

Not everybody uses OpenVPN.

I agree....

ExpressVPN also uses several connection methods depending on the point from which it starts..

router usually OpenVPN
ExpVPN app usually IKEv2 + EAP

etc....