Scripting for VPN detection

FredMcfly

I am trying to figure out how to add a PHP script to pfsense so that I can detect and block VPNs/proxies. The script would be similar to the one from IPQualityScore.

I understand how the script works, but I am clueless as to how I should integrate it with pfsense.

Doesn't even have to be PHP, could be Python, a compiled language, or anything really.

Does anyone have suggestions/ideas?

FredMcfly

Maybe I should be asking a different question, if I was writing a script for pfSense, how do I get the outgoing IP address?

bmeeks

@FredMcfly said in Scripting for VPN detection:

Maybe I should be asking a different question, if I was writing a script for pfSense, how do I get the outgoing IP address?

You can't really get it "real time" from any of the GUI level stuff. You can certainly log things and scrape the resulting logs (firewall logs, for example), but by that time the actual transaction has occurred (usually).

To get the IP realtime would require you writing you own binary module to interract with the underlying FreeBSD operating system (in the case of the firewall part, that would be pf).

What exactly is your use case? Are you wanting to detect and block the transaction as it is happening, or is it sufficient to detect the activity some amount of time later by scraping logs and then perhaps add offending IP addresses to an existing firewall alias so that future transactions are blocked? If the latter works for you, then that would be possible using a shell script with a few calls to pfctl, for instance, to add IP addresses to an alias table.

Follow-up: after thinking about this some more, are you wanting to detect and block when or if your internal clients are talking to a known VPN provider IP block? If so, that's even easier by using a script to populate your own alias table. Or perhaps some of the functionality you want is contained within lists available for the pfBlockerNG-devel package. You could ask over in that sub-forum under the PACKAGES section here on the forum.

noplan

do i get this right,

you want to block an incommin vpn connection if your vpn-client
already uses a vpn to connect to your vpn-server

brNp

bmeeks

@FredMcfly said in Scripting for VPN detection:

Maybe I should be asking a different question, if I was writing a script for pfSense, how do I get the outgoing IP address?

As I answered in my other post, you can't really get the outgoing IP real time via a script. And even if somehow you could, imagine how slow the network would be if every packet had to first go through your script before it could be transmitted over the wire.

You need to provide a clearer picture of what you want to accomplish with that outgoing IP address? I suspect what you really mean to say is "destination IP address" as the outgoing IP for any packet leaving your firewall will be your WAN IP (when using NAT) or else one of your assigned static IPs if you have static IP assignments from your ISP.

FredMcfly

Sorry for not being clearer, I'm still relatively new to pfsense and have been doing a lot of learning.

Ideally, if someone on my network attempts to connect to a known VPN, I want to be able to block them from connecting.
There are websites like IPInfo.io and ipqualityscore.com that allow you to request info for IP addresses and it will tell you if the IP address is a known VPN or proxy.

Yes, I know that you can never block all VPNs/proxies, but I want to get as many of them as I can and make it really difficult to use them on my network.

I've looked at pfBlockerNG-devel, but I have had issues with it drastically increasing memory and CPU usage with the settings I picked. And it didn't even catch the VPNs I was trying to block. Also, I wasn't sure how stable it is to be used in a production environment.

So at this point, it sounds like getting the outgoing IP address will be too slow, because I will have to send out a request to a website, wait for return, parse data and then block. Makes sense.

If I scrape logs and to look at IP addresses, then I would have time to look at each one, then I could add the offending IP address to some sort of blocker.

Would it be possible that if I find an offending IP address that is currently being used, could I somehow cut the connection? Such as killing the state or something?

bmeeks

@FredMcfly said in Scripting for VPN detection:

Sorry for not being clearer, I'm still relatively new to pfsense and have been doing a lot of learning.

Ideally, if someone on my network attempts to connect to a known VPN, I want to be able to block them from connecting.
There are websites like IPInfo.io and ipqualityscore.com that allow you to request info for IP addresses and it will tell you if the IP address is a known VPN or proxy.

Yes, I know that you can never block all VPNs/proxies, but I want to get as many of them as I can and make it really difficult to use them on my network.

I've looked at pfBlockerNG-devel, but I have had issues with it drastically increasing memory and CPU usage with the settings I picked. And it didn't even catch the VPNs I was trying to block. Also, I wasn't sure how stable it is to be used in a production environment.

So at this point, it sounds like getting the outgoing IP address will be too slow, because I will have to send out a request to a website, wait for return, parse data and then block. Makes sense.

If I scrape logs and to look at IP addresses, then I would have time to look at each one, then I could add the offending IP address to some sort of blocker.

Would it be possible that if I find an offending IP address that is currently being used, could I somehow cut the connection? Such as killing the state or something?

pfSense provides a nifty feature called aliases. These are variables that can be populated with IP addresses dynamically, and then the alias name used as either the source or destination IP in firewall rules.

For your case, you would want to create a script to call the API of that site you listed and pull down lists of known VPN providers. You would then put those IP addresses into your defined firewall alias. Blocking this type of activity is difficult because most of the public providers use port 443, the same one that HTTPS uses. So blocking by port destination will usually not work for most of the VPN providers. You would need to have a script that periodically pulls down lists of known VPN address blocks and then adds those blocks to an existing firewall alias. You would have a firewall blocking rule, for example, that had that alias as the "destination IP" for the rule.

There are probably some lists also available for pfBlockerNG. However, as you noticed, those IP lists are likely to be sort of large and for now there is a performance impact for some users with large IP lists on pfSense-2.4.5.

FredMcfly

I have some lists enabled for blocking VPNs, but they still aren't stopping well known VPNs.

I understand the port issue, which is why I am looking at IP addresses. By using a service like ipqualityscore.com is that they keep a list of IP addresses and flag them if they appear to be VPN addresses.

But I can't just download a list from these websites. I have to request information on specific IP addresses.

I guess I will just have to scrape the logs to find VPN addresses.

Is there any way that I can kill a VPN connection if I find one?

bmeeks

The utility you want is called pfctl. It exists to provide a means to interract with the firewall engine. pf, and add or remove IP addresses from alias tables or to clear active states. Here is a link to the FreeBSD docs for pfctl: https://www.freebsd.org/cgi/man.cgi?query=pfctl(8).

So you would create an alias and use it in a blocking firewall rule. You would then scrape logs on some basis and grab IP addresses to send to your third-party API site. For positive returns, you would put the IP in the alias table using pfctl and also delete any existing states for that IP using pfctl.

However, in the end this is not very efficient and probably not highly useful. It is all basically happening after-the-fact. Yeah, you might catch a tiny handful of connections and kill them, but so what.

A far more effective approach, if your company management is on board, is to implement a "no VPN policy", have employees sign they understand the rule, and then just do periodic scans. When you find a rule breaker, management makes a fairly large example of them. Believe me word gets around then, and the abuse of VPNs will slow to a trickle at best. Your only other method would involve finding a third-party that publishes lists of known VPN address blocks. That's difficult to maintain as the providers hop around -- mostly in attempts to thwart the efforts of Netflix and other large streaming providers that also want to find these VPN IP addresses and block them from accessing streaming content from countries where that content is not licensed for viewing.

christopa1999

It could be very slow if you integrate remote API into pfSense due to network latency.

A better solution is to parse an offline proxy database such as IP2Proxy and then perform detection or blocking as blacklist.

Just my 2 cents.

noplan

sounds useable ... import to pfB deny inbound and done

netgated

Take a look at the ipquery.io docs