Latest pfsense & outgoing VPN

  • how to block any outgoing VPN connection from some Clients

    is that even possible?


  • Extremely difficult.  To effectively block, you would need to know either which port(s) their VPN app (and there are a LOT of VPN apps out there) uses to talk to its servers, or the endpoints of every VPN service in the world.

  • wow , thanks for replying!!
    but must be easy way , what about captive portal
    for ios device I make management with apple software and prevents any installation of vpn's
    but can't control windows os !!


  • LAYER 8 Moderator

    Sorry, but that's like comparing pears and running shoes. You can put a pear into a shoe but it does make no sense. Of course, a device like iOS or Android with !Device Management! functionality can be locked down quite easy compared to a full blown OS where the user quite often has admin privileges. That's the reason why it's difficult. If you are administrator on your machine, you could use various tools to create a VPN tunnel like using a SSH tunnel, installing OpenVPN on a non-common port or running it on a port that is used for other legitimate reasons. So, no, there are no easy ways to lock down a client machine like some smartphone. Not if your users are running it with root/admin privileges and can potentially install any app they want. And even without there are ways to do it.

  • thanks for replying, anybody here has a collection with ports and site hosted vpn
    am trying to collect majority just in case

    best regards

  • LAYER 8 Moderator

    If you control the other (server) side, you can setup e.g. OpenVPN to listen on any udp or tcp port you like. So you can't be sure that no one could open a tunnel there. You surely could block some commercial providers, but if someone goes along and rents his own VPS and installs OpenVPN to it, the game is on.

Log in to reply