• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Blocking softether VPN connection

Scheduled Pinned Locked Moved Firewalling
6 Posts 4 Posters 3.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    nottyboy
    last edited by Nov 25, 2016, 7:34 AM

    Hi all,

    Any way to block softether VPN connection? I have block most of the ports in my firewall except 80, 8080, ftp, email, DNS, ntp ports, somehow softether VPN can still connect to the server to bypass the firewall rules.

    1 Reply Last reply Reply Quote 0
    • K
      KOM
      last edited by Nov 25, 2016, 2:10 PM

      Some VPN services tunnel over 443 so those are hard to block without killing web access entirely.  From their site:

      Penetrates Firewall by SSL-VPN
      Are you having trouble with IPsec-based legacy VPN products? Replace it to SoftEther VPN. SoftEther VPN Protocol is based on HTTPS so almost all kinds of firewalls will permits SoftEther VPN's packets.

      Your only option now is to block their access points.

      1 Reply Last reply Reply Quote 0
      • N
        nottyboy
        last edited by Nov 29, 2016, 1:14 AM

        @KOM:

        Some VPN services tunnel over 443 so those are hard to block without killing web access entirely.  From their site:

        Penetrates Firewall by SSL-VPN
        Are you having trouble with IPsec-based legacy VPN products? Replace it to SoftEther VPN. SoftEther VPN Protocol is based on HTTPS so almost all kinds of firewalls will permits SoftEther VPN's packets.

        Your only option now is to block their access points.

        Thanks for your reply, I think is a bit hard to block for now as we require port 443

        1 Reply Last reply Reply Quote 0
        • J
          Jonb
          last edited by Dec 6, 2016, 9:51 PM

          Only way is snort/layer7 if the app identify itself but doubtful the main was is to have a proxy server with ssl introspection.

          Hosted desktops and servers with support without complication.
          www.blueskysystems.co.uk

          1 Reply Last reply Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator
            last edited by Dec 6, 2016, 10:17 PM

            Yeah its getting really hard to block this sort of thing.. So while you don't actually have to decode the traffic to see that openvpn traffic is not actually normall ssl traffic.  You can run it inside an actual ssl tunnel, etc.  I am not sure what softethers ssl vpn looks like, maybe its just like a stunnel?  And impossible to detect without mitm of the ssl connection.

            But for sure its an uphill battle trying to block such traffic.  Especially when they run over ports that you Need to talk to the internet at all like 443..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • N
              nottyboy
              last edited by Apr 14, 2017, 1:03 AM

              I am blocking using IP address in firewall rules and squid guard.

              but there is a long list of ip address of the vpn server based on the vpngate website

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received