I’m trying to work out how to make Proton VPN apps respect router-level OpenDNS settings, but I’m a bit lost.
I have set up OpenDNS at router-level and it’s working really well over my home network. No problem there. However, the moment Proton VPN is activated on a device connected to the home network, OpenDNS fails to work on that device.
I can change the DNS settings within the ProtonVPN app, but 1/ that doesn’t seem to work, and 2/ it kinda defeats the purpose of OpenDNS.
What I’m looking for is a way to make any Proton (or other) VPN app obey the OpenDNS rules at router level.
Is this possible?
I know I can configure ProtonVPN within rOS using Wireguard, but I’m not convinced this will resolve the issue. It wont resolve other VPN vendor apps.
I wouldn’t want any leakage out of my local WAN, but I would like to protect my family from certain sites while using a VPN app. So I’m trying to find a way for any VPN app (on a mobile, etc…) to honour the DNS settings (ergo, the OpenDNS service) on the router.
Seems pointless trying to protect when a VPN can just override good intentions.
If what I’m looking for isn’t possible, is it possible to block any commercial VPN from having access to a network? Naturally, any non-commercial VPN that uses the home router as a far end point would be exempt, like BTH, because then the home router’s DNS settings should still be honoured.
I don't think that's possible without going to each device and change the Proton app or OS settings on each device.
When your devices run the VPN apps individually, then the switches and routers and access points in your network are no difference than your ISP or your government (if you live in authoritarian countries, but I think NZ does not apply in this case) in the fact that they can only see the encrypted streams of packets, and can only block or drop the packets, but are unable to decode, manipulate, or change their content.
Imagine that your router is somehow able, through some magical ways, to redirect the DNS queries inside the encrypted streams of packets without having access to the apps on your client devices. What prevent the malicious ISPs or authoritarian governments to do the same? And if they were able to do that then it would mean the encryption used by the VPNs is totally broken and ineffective.
You might have been forgiven for believing it got seriously close to NZ a few years back, lol.
Thanks for the explainer @CGGXANNX, so the answer is lost at router level then.
More generally, it’s pretty sad for the families struggling to contain porn addiction at home, short of standing over them everytime they go online, watching where they go and what they view. Banning VPN apps on phones might work, but then you’d have to somehow lock down every phone from accessing play/app stores. But lots of kids are tech-savvy (or have friends that are) who could quickly break what locks are on their devices.
Well, that is easy: that cannot be done. The idea of a VPN is that all traffic is encrypted and sent to/received from a server elsewhere. Your router, whether MikroTik or not, has no idea what the traffic is, DNS requests or otherwise.
The reason VPNs were “invented” (well not really invented, it was an existing concept but it is now deployed in a different way) precisely is to prevent you from doing what you now want to do: watch what your kids are doing. When you don’t like that, you will have to prevent your kids from using a VPN.
Yup. But an own goal for VPN companies, because the noose is tightening. Already in the UK and Australia legislation has been passed to ‘prevent’ under 16’s from accessing social media (and indirectly porn). Only a matter of time before governments realise that under 16s will just use commercial VPNs and they’ll change the law accordingly. When that happens, it’ll only be a matter of time for commercial VPNs to be banned outright. Then we all loose.
It’s not the part that encrypts that’s the issue. It’s the router being smart enough to detect a VPN has just been activated on a particular device and block the VPN on that device before it creates the tunnel (in the same way public libraries do), rendering the VPN ineffective on that device. Maybe in the future this will be a thing for home admins too. Could be a lifesaver for caring parents, literally.
More broadly, maybe the onus is on commercial VPN providers to provide a solution that can be administered remotely by the home admin. Seems to me that going forward, their business my depend on it.
The problem with that is, the VPN companies are creative too. At first they used protocols like OpenVPN and Wireguard and you can just block the corresponding port in the firewall, but more and more often they will run (or offer the option) a tunnel over TLS (https) and you cannot block that because nothing would work anymore. You can use a firewall rule that blocks some certificate name, but there are so many available services that you really cannot block them all. Plus protocols have already been developed that encrypt the certificate name in the TLS handshake, so that is a dead end too.
I do not use such a commercial VPN, but it always surprises me how they can get away with sales pitches like “use our VPN and you can work around the geoblocking done by media companies”. Media companies are amongst the most powerful in the world, they have a much bigger influence on governments than those groups that want to ban social media. They have even got an exception here in the EU on the free trade of goods and services, which is the original base of the EU. Everything that is for sale in one country in the EU can be bought everywhere, except media services. Still, those VPN companies can advertise “screw those media companies and their rights, you can view TV and movies from country X everywhere via our VPN”. And that still survives.