While VPNs can be useful tools for encrypting your data and increasing your privacy, they can also make it difficult for Firewalla to enforce your policies. Using 3rd-party VPNs outside of Firewalla hides your devices' network traffic, preventing Firewalla from monitoring what your devices are really doing. Firewalla's VPN-blocking capabilities make it easy to prevent your devices from using external VPN services and keep them protected by your policies.
What are the different types of VPNs used by consumers?
There are three types of VPNs:
- OpenVPN / WireGuard – The client talks to one server, and a large quantity of data is transferred.
- Shadowsocks (or similar) – The client usually talks to one server. These VPNs have additional features to elude detection (for example, they may be able to pretend to be https traffic).
- Tor – A network of servers that you communicate with anonymously.
Note that are other enterprise VPN services, such as IPSec, which are not covered in this list.
Why can blocking VPN services be difficult?
Some VPNs, such as Shadowsocks, or VPN servers running on https (port 443) are very hard to detect. Firewalla is always improving and updating our VPN-blocking intel, but these servers can be extremely elusive. Because of this, we cannot guarantee that our VPN-blocking features stop all VPN services. If you notice that a VPN service is getting around Firewalla's block, we recommend that you block it directly using a rule.
How can I detect VPN usage?
Large data transfers to unexpected destinations can be a clue for VPN usage. From your Network Flows page, tap on Download, then scroll down and tap on Show All in the Top Destination section to see a list of your destinations sorted by greatest download amount.
How do I block VPNs?
Block All VPN Sites
You can create a rule to block all VPN sites on all devices. This will block your devices from connecting to known external VPN sites. (Disclaimer, this only covers some of the more popular VPN services and may not cover everything)
Block from Network Flows
Some of the VPN services may be harder to find, here you can block any domain directly from a network flow by tapping on the flow, tapping Block at the bottom of the page, modifying the target and device as needed, and then tapping the Block button.
Enable Native Family Protect
You can block VPN services directly from the Native Family Protect page. From your box's main page, tap Family, turn Family Protect on, tap Mode, select Native, and then toggle on All VPN Sites in the Block Flows section.
Block ports used by VPN
Below are some ports used by well-known VPN protocols. You can also research individual VPN service providers to find out which ports they're using, then create blocking rules on these ports to prevent VPN connections.
Since blocking ports may be more intrusive, you may want to use trial and error to ensure you don't interfere with your devices' normal functioning. Block ports one at a time and make sure your network still works as expected after blocking each new port.
The ports we recommend you try blocking are in bold:
- OpenVPN – 1194 TCP/UDP
- PPTP – 1723 TCP/UDP
- L2TP – 1701 UDP
- Cisco IPsec – 1293 TCP/UDP, 500 TCP/UDP
- IPsec/IKEv2 – 500 TCP/UDP
- IPsec Nat Traversal – 4500 UDP
- SOCKS proxy – 1080 TCP
Turn off NAT Passthrough
If your box is running in Router Mode, you can go to Network -> NAT Settings -> NAT Passthrough to turn off PPTP, L2TP, IPSEC, etc., based on the VPN protocol.
Comments
0 comments
Please sign in to leave a comment.