Unable to block VPN apps?
-
I noticed that If any smartphone use VPN apps, it bypasses any firewall rules and all dns settings set by the pfsense router. Ive forced all the clients in my LAN to use the PfSense DNS settings that are actually pointing to my windows server dns, but if they use a vpn app on their devices, it completely bypasses the router.
-
You can try to block VPN providers with pfBlockerNG.
-Rico
-
@rico Lets assume that we dont know the vpn providers name they are using.
-
@dxplorer11 Then you're limited to blocking based on destination address or port. Since the contents of each packet is encrypted, all you have to work with are the tcp/udp headers.
-
@dxplorer11 said in Unable to block VPN apps?:
I noticed that If any smartphone use VPN apps, it bypasses any firewall rules and all dns settings set by the pfsense router. Ive forced all the clients in my LAN to use the PfSense DNS settings that are actually pointing to my windows server dns, but if they use a vpn app on their devices, it completely bypasses the router.
You could try to block VPN with Snort/Suricata or pfBlockerNG IP VPN feed
-
Blocking IPsec would be pretty easy but OVPN and WG can run on whatever port, so only way would be to rely on IP lists and perhaps ASNs of public VPN providers. You don't get them all but if you get many/most of the VPN endpoints the client tries to connect to, then at least it wouldn't be easy to circumvent the rules.
Easiest thing would be to move smartphones to a separate VLAN and also limit access to certain ports and services in addition to then block certain IP ranges and DNS aliases so many/most VPNs wouldn't connect.
Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!
If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.
-
@rico said in Unable to block VPN apps?:
You can try to block VPN providers with pfBlockerNG.
-Rico
Good suggestion for authority and anti-democratic regimes like in Russia, Belorussia, China, Iran, Sirya... ;)
-
@jegr said in Unable to block VPN apps?:
Blocking IPsec would be pretty easy but OVPN and WG can run on whatever port, so only way would be to rely on IP lists and perhaps ASNs of public VPN providers. You don't get them all but if you get many/most of the VPN endpoints the client tries to connect to, then at least it wouldn't be easy to circumvent the rules.
An in addition to that new technologies like NewNode VPN also make VPN blocking impossible nowadays.
Easiest thing would be to move smartphones to a separate VLAN and also limit access to certain ports and services in addition to then block certain IP ranges and DNS aliases so many/most VPNs wouldn't connect.
Totally agree.
-
@viktor_g said in Unable to block VPN apps?:
@dxplorer11 said in Unable to block VPN apps?:
I noticed that If any smartphone use VPN apps, it bypasses any firewall rules and all dns settings set by the pfsense router. Ive forced all the clients in my LAN to use the PfSense DNS settings that are actually pointing to my windows server dns, but if they use a vpn app on their devices, it completely bypasses the router.
You could try to block VPN with Snort/Suricata or pfBlockerNG IP VPN feed
If users using NewNode VPN, both methods not a solution.
Slowly we all goes to stay when blocking VPNs become impossible, because slowly all connections become to “VPN by design”. And billions of investments just push all industry forward to this stay.
