Community discussions

MikroTik App
 
chenashop
just joined
Topic Author
Posts: 6
Joined: Mon Apr 03, 2017 9:42 pm

how to block vpn

Sun Apr 09, 2017 10:11 pm

there is an free extension in google chorme betternet free vpn which made bypassing any kind of content filtering unbelievably easy . i tried all kind of port blocking, gre blocking to block this kind of vpn , but no success .

any idea .. ?

TIA
 
msatter
Forum Guru
Forum Guru
Posts: 1459
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: how to block vpn

Sun Apr 09, 2017 10:18 pm

OpenVPN can connect over port 80 or 443 so blocking them is almost impossible.

You can only look to which IP addresses they go and block those.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.47.beta.x / Winbox 3.21 / MikroTik APP 1.3.12
NordVPN viewtopic.php?f=2&t=158439&p=781009 for multiple connections.
 
User avatar
shaoranrch
Member Candidate
Member Candidate
Posts: 184
Joined: Thu Feb 13, 2014 8:03 pm

Re: how to block vpn

Mon Apr 10, 2017 3:23 am

there is an free extension in google chorme betternet free vpn which made bypassing any kind of content filtering unbelievably easy . i tried all kind of port blocking, gre blocking to block this kind of vpn , but no success .

any idea .. ?

TIA
Unfortunately there's no easy solution for this nor a solution that fixes everything. VPNs like OpenVPN for instance can bypass port blocking because you can choose what port to use and even the protocol.

If this is an enterprise where you've got control over the devices the employees use try:
  • 1.- Using a UTM/NGFW, these devices can do deep packet inspection and detect app signatures so they can block these
    2.- Use a web proxy and block any kind of access to the internet not passing via it, make the proxy work with HTTPS and block anything not allowed
    3.- Block any port to any IP that has not been previously allowed by internal security policies
    4.- Block devices usage of extensions on web browser
    5.- Make computer firewall block DNS requests to non-allowed DNS servers, you can do it as well in a network wide policy via firewall, use a service like OpenDNS
Points 1 and 2 requires the use of a domain service and GPOs to make devices trust forged certificates for SSL/TLS connections, point 4 and 5 requieres GPO to lock the computer's functions

I'm quite sure there are a lot of other things you've gotta do, as mentioned, this is not an easy task nor one that can be achieved doing just a few commands over a single device.
Rafael Carvallo
Telecommunications Engineer

Need consultation?
Need a hotspot with facebook integration?
Send a PM!

Hablamos español, atendemos el mercado de latinoamérica visita nuestra página web:
http://www.tuproximosalto.com
 
r4z0r84
just joined
Posts: 1
Joined: Thu May 25, 2017 2:09 pm

Re: how to block vpn

Thu May 25, 2017 2:26 pm

I came up with a solution today that sounded absolutely insane but it works with iPads as they can only select a single vpn service.

First you setup a secondary gateway with no internet access, give this server an iis/apache server "only hosts vpn profile" setup a qr code for people to scan,
filter/block the devices mac address from registering in dhcp so that you can give access to only this new secondary gateway
setup a wireless profile with static ip address set and above gateway, dns server as gateway as well.
setup local vpn service to allow users to connect to the "real" network,
require them to install the vpn service profile from the apache server to gain access to the internet.

if they turn vpn off, no internet
if they turn it to auto config from static, no internet (due to dhcp)
if they turn on another vpn, no internet due to no dhcp or real vpn connection to the real network.

iPad>fake gateway>vpn>real gateway>proxy server>internet.

with the above set in place its impossible for them to use any another vpn, you may also need to poison your dns for well known offenders.
 
aadi
just joined
Posts: 3
Joined: Wed May 09, 2018 12:55 pm

Re: how to block vpn

Wed May 09, 2018 3:39 pm

dear r4z0r84

Please Guide this setup with detail if possible with images plz

thanks
 
aadi
just joined
Posts: 3
Joined: Wed May 09, 2018 12:55 pm

Re: how to block vpn

Fri May 11, 2018 6:17 pm

dear r4z0r84

plz make video this setting and share plz i really need it
 
User avatar
MangleRule
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Mon May 07, 2018 1:05 am

Re: how to block vpn

Fri May 11, 2018 7:36 pm

dear r4z0r84

plz make video this setting and share plz i really need it


What is the purpose of blocking the VPNs? What is suggested above is a terrible idea! Even if you force every client to use your VPN to get primary access, someone can just run a VPN tunnel inside of that tunnel and you are back to square one. You are introducing so much complexity when it doesn't improve security and it makes network performance worse because most VPN technologies impact your MTU and with encryption it will use more resources on the router.
MTCNAMTCREMTCINE | MTCTCE | MTCUME | UBWA
 
aadi
just joined
Posts: 3
Joined: Wed May 09, 2018 12:55 pm

Re: how to block vpn

Thu May 17, 2018 12:51 pm

dear r4z0r84

plz make video this setting and share plz i really need it


What is the purpose of blocking the VPNs? What is suggested above is a terrible idea! Even if you force every client to use your VPN to get primary access, someone can just run a VPN tunnel inside of that tunnel and you are back to square one. You are introducing so much complexity when it doesn't improve security and it makes network performance worse because most VPN technologies impact your MTU and with encryption it will use more resources on the router.

soo plz advice me what can i do for these type of extensions

Who is online

Users browsing this forum: Engineer82, eworm, mafiosa and 197 guests