There is сorporate network with Mikrotik CCR2004 as main router. Network clients are PC and mobile devices.
Standalone Pi-Hole DNS server is used for security purpose.
Pi-Hole blocks unwanted domains.
For successful Pi-Hole work there are some Mikrotik’s setting:
Pi-Hole server is assigned as DNS server to all clients except Pi-Hole itself
All external (to WAN) forward traffic to port 53, 853 is blocking for all device except Pi-Hole server itself
Forward to udp 80,443 is blocked
Some popular “classical” VPNs are blocked too according to their specific parameters - port number, IP addresses, domain name.
This security scheme worked good enough until one of the employees installed the Adguard app on his phone to bypass the restrictions.
This Adguard app encapsulates so called “local VPN”
I installed same Adguard app at one of my testing Android device for learning how it works.
I set Mikrotik->Firewall->Mangle with action “Sniff TZSP” and I can capture my testing device in Wireshark.
I see all connection in Wireshark but I can’t catch Adguard specific ones.
Is there the way to fight with such a local vpn?
Incorporate some MDM solution for company devices for managing installed software and configuration on them and deny personal other to connect on that network. Not sure there is a ultimate solution on MT that can block all kind of VPNs and proxies, unless you implement reverse logic - not to block something, but to allow only specific hosts/domains/IPs…
Adguard essentially reinvented and improved SSTP. But now it is adguard proprietary protocol instead of Microsoft proprietary protocol. I use SSTP for the exact same reason - for most firewalls it looks like a big HTTPS download. Adguard went even further and makes multiple smaller connections. IMHO not distinguishable from an ordinary Web browsing.
Anyway, as others pointed out, you would need a different device,whhich would have to decrypt the traffic. That isn’t really an option on mikrotik.
Thank you for the hint about SSTP.
So further searching for “detect sstp” led to another hint:
SSTP can be detected using a regular Mikrotik. It is enough to check for the presence of the > sni > header in the > clienthello > packet. If it is not there, we most likely have SSTP
None of clients of our network use SSTP, so I would like to block any SSTP traffic.
How to block SSTP practically using the “sni header” hint above?
Let’s say it can block all connections without SNI…
Now pretty much all Google & Co. are on TLS 1.3, so that would block everything…
P.S.: With a little bit of knowledge, and unblocked Google services, it is possible to bypass any firewall/filter without the slightest problem… (I’m not referring to DNS…)
No, What they did was putting a significantly higher price for services. So they can use our own F money for doing the F filtering.
They are cheap as F.
By these comments here https://github.com/net4people/bbs/issues/171 they are just throttling upload. I guess they are identifying large TLS traffic to single outside country endpoint (with maybe exclusion of some common safe domains) as suspect and then throttle upload to that endpoint which limits then vpn/proxy connection speed to point of uselessness.
Yes, depends what is used. I was initially mentioned proxy with protocol obfuscation, which is encrypted socks5 proxy protocol encapsulated into HTTP request (POST) over TLS1.3, which can’t be detected as proxy connection exactly, but it can be suspicious due to amount of upload traffic to single service.
That is unfortunately not true. See packet from my SSTP VPN handshake which clearly shows SNI extension:
The same will apply for any other TLS encrypted traffic, no matter what it is. TLS is standartized protocol for encryption, fully independent from the data inside. Be it video stream, website, large file download, vpn … it will all look same.
@anav was right concerning who owns Adguard…
I did some research and came to a clear conclusion: Adguard belongs to the russian intelligence services. FSB do not invest money in this system in vain, they need such a system.
If anyone doubt it, just look at what a powerful server infrastructure they have built. To do this, it is enough to look at the information on the otx.alienvault.com by domains:
Most of servers are at cloudflare, but the key servers are in terrorist state russia.
So I decided not to waste my time on Adguard and just blocked “cunning” user until he removed russian crap from his phone.
Now you have identified one VPN that you do not like, and you may be able to block it in some way, but you will have to live with the fact that there are many different VPN providers, from “good” and “bad” guys, and that you will never be able to block them all.
So your original design assumption that you can block sites (for security or whatever) using a Pi-Hole DNS server unfortunately is no longer valid.
