Using VPN to bypass security
My kid is using X-VPN app on iPhone to easily bypass all controls I put on Firewalla gold defeating the entire purpose of Firewalla. Is there a way to prevent users from connecting to external VPN from inside our home network?
-
First, there is no solution in the world that can block all VPNs. Even at the nation-state level, blocking VPN has always been a cat + mouse game. But with a small bit of work, it may be possible in a small network.
Some VPNs are fairly easy, you can block ports like 1194, or you can use the built-in blocker like "family mode", when that is on, some of the well-known VPN services may be blocked.
Now, since the home network is small, it should be possible to block these things, but ... may involve you to look at the flows a bit. The best tutorial is using something like this, what you need to do is find the flow that's pretty large and just cut that off. https://help.firewalla.com/hc/en-us/articles/360050863873-How-to-block-an-application-using-Firewalla-Network-Flows-
-
Thanks for quick response! I understand it is a cat + mouse game. But are you even in the game at this time? If yes, I would expect you to block some of the common VPN sites. I see that you have a Beta for "All VPN Sites". I tried using that to block. That did not help. You need to release VPN blocking soon and keep constantly updating it (chase those mice hard!! Keep catching as many as you can quickly!!)
Look here is where I am coming from. If it is so easy to defeat or bypass the security, why even bother. I might as well return your equipment. I am unnecessarily slowing down the "good" traffic.
-
Yes, we constantly trying to make things better for sure.
In your case, have you tried "family mode"? this mode actually blocks some of the well-known VPN services. If that does not work, can you use the method here and look at the flows? https://help.firewalla.com/hc/en-us/articles/360050863873-How-to-block-an-application-using-Firewalla-Network-Flows-
If you see something let us know, we can make a signature to block
-
Wait! I noticed all those IP addresses are connecting to ports higher than 50000. Can we block all ports higher than 50000? Looks like you are giving the ability to block a single port not a range or higher-than/lower-than feature. Well you have some serious catching to do with the mice. You should be able to come up with an algorithm that can block VPN tunnels. Please make that high priority for your engineering team.
Please sign in to leave a comment.
Comments
6 comments