First, there are three types of VPN's.
- OpenVPN. The client talks to one server, and a large quantity of data is transferred.
- Shadowsocks (or like). The client usually talks to one server. These also encrypt data but have code to elude detection (such as pretending to be https traffic)
- Tor. It is a network of servers that you communicate with anonymously.
To detect VPN usage may not be that hard, but do require a small knowledge of how networking works.
- Use https://help.firewalla.com/hc/en-us/articles/115004404754-The-Top-Graph , and watch out for large transfers (upload/download) to destinations that don't make sense.
- Block from Network Flows. After VPN detection, you can block the domain just by tapping on the network flow.
- Enable Family Mode. this feature will block some of the well-known VPN servers.
- Block ports used by well-known VPN. By default, OpenVPN uses port 1194 (UDP). In Box version 1.965, you will be able to create rules to block remote ports.