Blocking VPN users from bypassing Squid, and using also DNS of Google (Android)



  • Hi!

    Can I ask for advice on how to block VPN (Proxy apps) user from bypassing Squid and also block Android devices from using DNS of Google.

    TIA!

    ast


  • Banned

    See these articles to Force the use of Unbound on your network.

    https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense

    https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers

    As far as blocking VPNs from bypassing squid, about the only way I can think to do that is by blocking VPN users altogether (at least attempting to).
    Since most commercial VPNs can use TCP 443, you aren't going to effectively do this with firewall rules.

    I've never attempted this but off the top of my head I would say that using pfBlockerNG with a well maintained list of VPN provider IPs is going to be your best bet without spending a lot of time on it. You could also use snort/suricata but that's a pretty heavy performance tax depending on bandwidth, hardware and I'm sure you'll spend plenty of time pruning FP's or writing your own rules.

    I'm sure there are others but I've only heard good things about Shallalist  and they have a category just for commercial VPNs.
    http://www.shallalist.de/categories.html

    BBCan has something in the works to make implementing these types of lists easier, but for now you can follow this thread to use the shallalist on pfblockerng.
    https://forum.pfsense.org/index.php?topic=120072.msg704424#msg704424

    Keep in mind the best you can hope for with lists and pfbng is to block users from connecting to commercial VPN providers. No one maintains lists of private VPN providers. So this method would not stop me from connecting to my own VPN server and then accessing the internet through that. To stop this I don't think there is any choice but IDS/IPS.