First, there are three types of VPN's.
- OpenVPN. The client talks to one server, and a large quantity of data is transferred.
- Shadowsocks (or like). The client usually talks to one server. These also encrypt data but have code to elude detection (such as pretending to be https traffic)
- Tor. It is a network of servers that you communicate with anonymously.
To detect VPN usage may not be that hard, but do require a small knowledge of how networking works.
Use the Top Graph and watch out for large transfers (upload/download) to destinations that don't make sense.
Block from Network Flows
After VPN detection, you can block the domain just by tapping on the network flow.
Enable Family Protect
This feature will block some of the well-known VPN servers.
Block ports used by VPN
Below are some ports used by well-known VPN protocols. You can also look into the website of the VPN service provider to find out which ports they are using, then create blocking rules on these ports to prevent VPN connections.
- OpenVPN – 1194 TCP/UDP
- PPTP – 1723 TCP/UDP
- L2TP – 1701 UDP
- SSTP – 443 TCP
- Cisco IPsec – 1293 TCP/UDP, 500 TCP/UDP
- IPsec/IKEv2 – 500 TCP/UDP
- IPsec Nat Traversal – 4500 UDP
- SOCKS proxy – 1080 TCP
Turn off NAT Passthrough
If you are using Firewalla Gold in Router Mode, you may go to Network -> NAT Settings -> NAT Passthrough to turn off PPTP, L2TP, IPSEC, etc. based on the protocol the VPN is using.
Block All VPN Sites
Create a blocking rule, to block all VPN sites on any devices, this will block your devices from connecting to the VPN sites.