Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to block ALL vpn connections

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 6 Posters 11.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      macster2075
      last edited by

      Hi..
      I have been using OpenDns for many years to block porn sites and other sites I don't want users to visit.. I use a Linksys router with Shibby Tomato firmware installed which has the option to block access to port 53, so users have no choice but to use the dns I have set at the router level. So far, OpenDns has been working great, but recently some kids have discovered they joys of vpn's…..

      They can simply install a Chrome or Firefox plugin like Betternet vpn, which does not require admin rights to install. That plugin completely bypasses the router settings and they can visit any site they wish.

      I have been searching and searching for many days now and cannot find a way to block vpn connections.. All I find is.. "vpn connections are encrypted, therefore you cannot block it" - some suggest using a proxy and forcing everyone to go through it including vpn connections before accessing the Internet.. is this true? - Will running a transparent proxy help me achieve this?

      I also ask because I have also read some people that have a proxy set up complaining that kids are still bypassing it using a vpn plugin or app on their smart phones.

      Any assistance will greatly be appreciated.. thank you.

      1 Reply Last reply Reply Quote 0
      • M
        marvosa
        last edited by

        What you would have to do is identify an IP that Betternet is trying to connect to, look up the ASN, identify the IP ranges the company has registered, create an alias with those ranges and block outgoing connections to that alias.  That's a lot of work and the problem is you've only dealt with Betternet.  Once you're clients realize Betternet is blocked, they're just going to switch to another product.  What about PIA, NordVPN, PureVPN, VyprVPN, etc, etc.?

        It's like trying to block porn sites manually one by one… you're never going to get them all and not to mention it would be a management nightmare.  It's generally not very efficient to chase these types of L7 issues with firewall rules.  What you need is a UTM product installed inline with your network.  For example, you could install Untangle in bridge mode and leverage the web filter and application control apps to solve this issue.

        1 Reply Last reply Reply Quote 0
        • M
          macster2075
          last edited by

          I've seen Untangle users complain about the same issue.. it seems not even they can block these types of connections.

          1 Reply Last reply Reply Quote 0
          • M
            marvosa
            last edited by

            Time is money, so it's about being efficient and effective.  Is UT perfect?  No.  No one product is, but leveraging a product that is specifically written to combat these issues is going to be more efficient and effective than manually chasing literally 10's of millions of IP's around the internet… and that's just IPv4.

            My point is you're not going to solve the problem simply by blocking IP's and ports.  You need something scanning the datastream on the way out, so the application traffic can be identified, categorized and blocked or tarpited before a connection is made.

            1 Reply Last reply Reply Quote 0
            • M
              Maekar
              last edited by

              Same problem here. I think that could be done with Snort, but I don't know how. I read somethings about OpenAppID and tried, but apparently they don't recognize this apps.

              1 Reply Last reply Reply Quote 0
              • C
                Carreswag
                last edited by

                Block the domain *.987607.biz, These are betternet's chrome plugin servers.

                1 Reply Last reply Reply Quote 0
                • R
                  r4z0r84
                  last edited by

                  the only way around blocking vpn's is to just create a local vpn that is required to get internet connectivity, on majority if not all devices you can't have multiple vpn's active.
                  if you enforce users to use your local VPN just to access the internet they won't be able to switch to another.

                  you could setup a local apache server that all dns queries are redirected to from pfsense that hosts the profile/vpn settings/extension. a 3rd wan for unfiltered internet for staff

                  if you can't beat them, join them.

                  1 Reply Last reply Reply Quote 0
                  • ?
                    Guest
                    last edited by

                    Install Squid& SquidGuard and create for each user and device an account and then you can better allow what to use
                    through that proxy server. Together with OpenDNS it will be a nice service and prevention.

                    If this might be not enough, you could try out pfBlocker & DNSBL + TDL, for sure your memory (RAM) system
                    should be high enough but using then snort with AppID rules you may get closer to your goal.

                    Or more expensive it could be nice to install a deep packet inspection device behind the pfSense firewall
                    this might be then more time to fine tune it but with the most effect all. Or a combination of some of this
                    things could be the real deal breaker.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.