Hello
Experience difficulty to how can block " psiphon vpn"
if any one have idea please share it here .

Thank you
regards

No answer

No answer
No answer

That you mean: https://psiphon.ca/index.html ? I do not know why but you can block with firewall all psiphon IP-address.

That you mean: https://psiphon.ca/index.html ? I do not know why but you can block with firewall all psiphon IP-address.

yes i meaning that,,
but you can help me to drop it from Mikrotik server
what's protocol and range ip's program use to try drop ?

What you mean "drop from Mikrotik servers"?

If you want block some service please block all protocol and port connect to dst-address (phipson servers). I do not understand why you block only one VPN Service. I think it very difficult block because service uses multiple IP-address pool.

What you mean "drop from Mikrotik servers"?

If you want block some service please block all protocol and port connect to dst-address (phipson servers). I do not understand why you block only one VPN Service. I think it very difficult block because service uses multiple IP-address pool.

in my company
i block all website and application of social media like facebook .. etc
any one of user's in company when used application of psiphon vpn will can open all social media
when i tried to torch the vpn application ,, was have difficult range's of ip address .
how can drop vpn in mikrotik ?
regards

Once you have succeeded in blocking psiphon vpn the people will find another vpn that you have not blocked.
The best way to avoid such situations is make them sign a contract that forbids the activities you do not like
to see in your company, so you can fire them when they breach it.
All technical measures will fail sooner or later, certainly when you allow direct (NAT-)routing to internet from your
user's systems. They only way you can sort of keep things under control is by running a proxy and forcing
the users through it, but even then it will have to be a more advanced proxy than is available in a MikroTik
router when you want to block everything. And it will be a dayjob to monitor and reconfigure it to track the
changes in available software and tricks that occurs over time.

The less you block, the less headache you will have. You should not BLOCK the services, but make good, reliable, reasonable policies regarding internet usage.

Do not let the disability of manager who cannot "control" the productivity of their employees to have you solved by "technical" means.


This issue (blocking of social media, VPN etc...) is higher than the technical solution. This should be discussed and taken care of at higher management layers.

If you block social media because the employees "sit the entire day on Facebook".... etc.... then it is a management problem not technical.

Once you have succeeded in blocking psiphon vpn the people will find another vpn that you have not blocked.
The best way to avoid such situations is make them sign a contract that forbids the activities you do not like
to see in your company, so you can fire them when they breach it.
All technical measures will fail sooner or later, certainly when you allow direct (NAT-)routing to internet from your
user's systems. They only way you can sort of keep things under control is by running a proxy and forcing
the users through it, but even then it will have to be a more advanced proxy than is available in a MikroTik
router when you want to block everything. And it will be a dayjob to monitor and reconfigure it to track the
changes in available software and tricks that occurs over time.

Thank you for your reply
My boss told me to block 2 program of vpn which are :
Psiphon vpn
Hotspot Shield
Now i block hotspot shield then i need to block other one,,
Any idea to drop program Please write here
Regards

The less you block, the less headache you will have. You should not BLOCK the services, but make good, reliable, reasonable policies regarding internet usage.

Do not let the disability of manager who cannot "control" the productivity of their employees to have you solved by "technical" means.


This issue (blocking of social media, VPN etc...) is higher than the technical solution. This should be discussed and taken care of at higher management layers.

If you block social media because the employees "sit the entire day on Facebook".... etc.... then it is a management problem not technical.

I can not control my staff after using the program to open the social communication sites so i need to block the famous programs of vpn.
Regards

You have a different problem, not related to routers and networking.

The less you block, the less headache you will have. You should not BLOCK the services, but make good, reliable, reasonable policies regarding internet usage.

Do not let the disability of manager who cannot "control" the productivity of their employees to have you solved by "technical" means.


This issue (blocking of social media, VPN etc...) is higher than the technical solution. This should be discussed and taken care of at higher management layers.

If you block social media because the employees "sit the entire day on Facebook".... etc.... then it is a management problem not technical.

I can not control my staff after using the program to open the social communication sites so i need to block the famous programs of vpn.
Regards

Remember one thing you can't fully or 100% stop the vpn program. bcoz of vpn program always searching & change the way from old destination or port.

The less you block, the less headache you will have. You should not BLOCK the services, but make good, reliable, reasonable policies regarding internet usage.

Do not let the disability of manager who cannot "control" the productivity of their employees to have you solved by "technical" means.


This issue (blocking of social media, VPN etc...) is higher than the technical solution. This should be discussed and taken care of at higher management layers.

If you block social media because the employees "sit the entire day on Facebook".... etc.... then it is a management problem not technical.

I can not control my staff after using the program to open the social communication sites so i need to block the famous programs of vpn.
Regards

Remember one thing you can't fully or 100% stop the vpn program. bcoz of vpn program always searching & change the way from old destination or port.

Yes my friend
But when i tried to drop hotspot shield vpn
I got the drop for stop working the program,,
Only the psiphon that difficult drop
Should method to drop it

Do you really think, that after you block the VPN program the employees will be brave, and honest, and will NEVER EVER use VPN anymore?

I can give you 100% guarantee: THEY WILL look for an alternative. Like OpenVPN, which even bypasses the great (fire) wall of China, Bhutan, Oman and other countries with very very strict control of VPN on COUNTRY level with very heavy (=expensive) equipment.

So do not think you can stop VPN with Mikrotik. No Way. Better to leave it open to use Facebook etc...

Do you really think, that after you block the VPN program the employees will be brave, and honest, and will NEVER EVER use VPN anymore?

I can give you 100% guarantee: THEY WILL look for an alternative. Like OpenVPN, which even bypasses the great (fire) wall of China, Bhutan, Oman and other countries with very very strict control of VPN on COUNTRY level with very heavy (=expensive) equipment.

So do not think you can stop VPN with Mikrotik. No Way. Better to leave it open to use Facebook etc...

Thank you but should the social media block in company

If you want to block this application, you will must to block all VPN which are not yours. You may read about Psiphon here or just follow the steps below to unblock the app:--
1. Enable DPI-SSL Client Inspection by going to DPI-SSL | Client SSL and selecting Enable SSL Client Inspection. Ensure that IPS, GAV, Spyware, and Application Firewall are selected.
2. Enable all Psiphon application signatures by going to Firewall | App Control Advanced. Select the category PROXY-ACCESS and application Psiphon. Configure the application to be blocked and logged.
3. Also block Encrypted Key Exchange TCP Random Traffic (SID 5).
4. Enable blocking of SSH app signature (SID 10097) "SSH -- Client Request Outbound", (or make access rule to block outbound TCP/22 SSH Service from LAN->WAN).