How to block ALL vpn connections

  • Hi..
    I have been using OpenDns for many years to block porn sites and other sites I don't want users to visit.. I use a Linksys router with Shibby Tomato firmware installed which has the option to block access to port 53, so users have no choice but to use the dns I have set at the router level. So far, OpenDns has been working great, but recently some kids have discovered they joys of vpn's…..

    They can simply install a Chrome or Firefox plugin like Betternet vpn, which does not require admin rights to install. That plugin completely bypasses the router settings and they can visit any site they wish.

    I have been searching and searching for many days now and cannot find a way to block vpn connections.. All I find is.. "vpn connections are encrypted, therefore you cannot block it" - some suggest using a proxy and forcing everyone to go through it including vpn connections before accessing the Internet.. is this true? - Will running a transparent proxy help me achieve this?

    I also ask because I have also read some people that have a proxy set up complaining that kids are still bypassing it using a vpn plugin or app on their smart phones.

    Any assistance will greatly be appreciated.. thank you.

  • What you would have to do is identify an IP that Betternet is trying to connect to, look up the ASN, identify the IP ranges the company has registered, create an alias with those ranges and block outgoing connections to that alias.  That's a lot of work and the problem is you've only dealt with Betternet.  Once you're clients realize Betternet is blocked, they're just going to switch to another product.  What about PIA, NordVPN, PureVPN, VyprVPN, etc, etc.?

    It's like trying to block porn sites manually one by one… you're never going to get them all and not to mention it would be a management nightmare.  It's generally not very efficient to chase these types of L7 issues with firewall rules.  What you need is a UTM product installed inline with your network.  For example, you could install Untangle in bridge mode and leverage the web filter and application control apps to solve this issue.

  • I've seen Untangle users complain about the same issue.. it seems not even they can block these types of connections.

  • Time is money, so it's about being efficient and effective.  Is UT perfect?  No.  No one product is, but leveraging a product that is specifically written to combat these issues is going to be more efficient and effective than manually chasing literally 10's of millions of IP's around the internet… and that's just IPv4.

    My point is you're not going to solve the problem simply by blocking IP's and ports.  You need something scanning the datastream on the way out, so the application traffic can be identified, categorized and blocked or tarpited before a connection is made.

  • Same problem here. I think that could be done with Snort, but I don't know how. I read somethings about OpenAppID and tried, but apparently they don't recognize this apps.

  • Block the domain *, These are betternet's chrome plugin servers.

  • the only way around blocking vpn's is to just create a local vpn that is required to get internet connectivity, on majority if not all devices you can't have multiple vpn's active.
    if you enforce users to use your local VPN just to access the internet they won't be able to switch to another.

    you could setup a local apache server that all dns queries are redirected to from pfsense that hosts the profile/vpn settings/extension. a 3rd wan for unfiltered internet for staff

    if you can't beat them, join them.

  • Install Squid& SquidGuard and create for each user and device an account and then you can better allow what to use
    through that proxy server. Together with OpenDNS it will be a nice service and prevention.

    If this might be not enough, you could try out pfBlocker & DNSBL + TDL, for sure your memory (RAM) system
    should be high enough but using then snort with AppID rules you may get closer to your goal.

    Or more expensive it could be nice to install a deep packet inspection device behind the pfSense firewall
    this might be then more time to fine tune it but with the most effect all. Or a combination of some of this
    things could be the real deal breaker.

Log in to reply