Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking VPN users from bypassing Squid, and using also DNS of Google (Android)

    Firewalling
    2
    2
    1185
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ast
      last edited by

      Hi!

      Can I ask for advice on how to block VPN (Proxy apps) user from bypassing Squid and also block Android devices from using DNS of Google.

      TIA!

      ast

      1 Reply Last reply Reply Quote 0
      • P
        pfBasic Banned
        last edited by

        See these articles to Force the use of Unbound on your network.

        https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense

        https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers

        As far as blocking VPNs from bypassing squid, about the only way I can think to do that is by blocking VPN users altogether (at least attempting to).
        Since most commercial VPNs can use TCP 443, you aren't going to effectively do this with firewall rules.

        I've never attempted this but off the top of my head I would say that using pfBlockerNG with a well maintained list of VPN provider IPs is going to be your best bet without spending a lot of time on it. You could also use snort/suricata but that's a pretty heavy performance tax depending on bandwidth, hardware and I'm sure you'll spend plenty of time pruning FP's or writing your own rules.

        I'm sure there are others but I've only heard good things about Shallalist  and they have a category just for commercial VPNs.
        http://www.shallalist.de/categories.html

        BBCan has something in the works to make implementing these types of lists easier, but for now you can follow this thread to use the shallalist on pfblockerng.
        https://forum.pfsense.org/index.php?topic=120072.msg704424#msg704424

        Keep in mind the best you can hope for with lists and pfbng is to block users from connecting to commercial VPN providers. No one maintains lists of private VPN providers. So this method would not stop me from connecting to my own VPN server and then accessing the internet through that. To stop this I don't think there is any choice but IDS/IPS.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post