Hello
Any one have idea how can blocking connection vpn like “psiphon” vpn program in mikrotik server .
Regards
No answer
Up up
Are you wanting to block all VPN’s from end users, or just specific programs? Depending on what you want to do will determine the path you want to take. Either one will require leg work and testing on your part to make sure it works as you desire and is not preventing traffic that you want to allow.
For all VPN’s, you can watch for well known and documented connections and block that kind of traffic in the forward chain. Like L2TP, GRE, UDP 500, UDP 4500, IPSec, and so on. You can also define a policy on your network that you will only allow a very limited amount of protocols and block everything else. Depending on what kind of network you are in this may not be acceptable. It will also likely not be easy/possible to block something like SSTP because that uses HTTPS to tunnel, without knowing the VPN end points. SSTP was specifically designed to bypass firewalls.
For specific programs, you need to research exactly how they work and what protocols that they use. This will be the tricky part because you will likely end up blocking more kinds of traffic than what you want to, so you need to find ways to narrow down that traffic. Like are what kind of VPN protocol do they use, IPSec, SSTP, or other and block that traffic specifically. You can also try and find out what IP addresses their service uses and block communication to those IP addresses. In the latest RC you can also have firewall rules that will dynamically resolve a domain name and use that to block traffic.
So in sort, there is no quick and easy answer. You need to understand what you want to do, the possible impact, how a VPN works, then understand what rules you are putting into place and what they do. Otherwise you are just asking for a support nightmare.
Thank for reply
I need to block vpn program that name “psiphon vpn” from all network
Because i blocked social media like facebook
But any users in company use psiphon vpn can open website for social media
How can block the program?
I tried to used torch and i block more than 190 ip address for program at end the program working according to the rule reading.
A quick google search shows this information about that program specifically, you can use that information to modify your current firewall setup:
https://www.bestvpn.com/blog/11635/psiphon-review/
https://www.quora.com/How-does-psiphon-work
It appears to use multiple different types of VPN to bypass being detected and to sneak by your policies, as well as a lot of IP addresses. So you really haven’t answered what kind of network you are in, but since you mentioned social media specifically, I’m going to assume that you are in a corporate environment, and you are wanting to enact a policy so the work force does not visit undesired pages.
For this you will need to enact a couple of things.
1.) A clear policy with HR that contains the consequences of someone that violates this policy. This is really the most important part since trying to stop everything that you don’t want is going to be a constant game of cat and mouse. However if the employee is aware of the policy and is caught violating it, then you can discipline as needed.
2.) Enact a network policy that restricts what users have access to. Like I said, it can be a constant game of cat and mouse as they find ways of getting around what you want. But you can have in place something like this for a forward chain of firewall rules. ONLY USE THESE IF YOU KNOW WHAT YOU ARE DOING.
a.) Accept related and established connections
b.) Drop invalid connections
c.) Allow TCP 53, 80, 443 from LAN
d.) Allow UDP 53 from LAN
e.) Drop everything else.
A firewall setup like that will only allow DNS, HTTP, and HTTPS traffic from users on the LAN. I don’t know enough about your situation or setup to guide you through a complete firewall set that will meet your needs. You will need to do leg work and define things that you want to allow and things you do not want to allow. Anything that you want to allow just add the rule before the drop everything one. Doing something like this will generate support calls and issues because all kinds of programs will no longer work, and there will be a lot of pain adjusting to the new setup for everyone involved.
He has asked this in the Beginner forum as well and got the same response long ago.
But when the answer does not suit him, he just tries again…
Also one of his habits is writing “No answer” or “Up Up” in threads, it is better to ignore those people…
I think it’s pretty necessary to use a fast VPN which doesn’t let a VPN connection drop easily.
His problem is not to find a fast VPN, but his problem is he wants to prevent his users from doing so.
He wants to block certain sites and those VPNs offer his users a way around his blocks.