Community discussions

MikroTik App
 
vitaly2016
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Wed Jan 20, 2016 9:26 am
Location: Ukraine

How to block Adguard LOCAL VPN

Tue May 30, 2023 3:03 pm

There is сorporate network with Mikrotik CCR2004 as main router. Network clients are PC and mobile devices.
Standalone Pi-Hole DNS server is used for security purpose.
Pi-Hole blocks unwanted domains.
For successful Pi-Hole work there are some Mikrotik's setting:
1. Pi-Hole server is assigned as DNS server to all clients except Pi-Hole itself
2. All external (to WAN) forward traffic to port 53, 853 is blocking for all device except Pi-Hole server itself
3. Forward to udp 80,443 is blocked
4. Some popular "classical" VPNs are blocked too according to their specific parameters - port number, IP addresses, domain name.

This security scheme worked good enough until one of the employees installed the Adguard app on his phone to bypass the restrictions.
This Adguard app encapsulates so called "local VPN"

I installed same Adguard app at one of my testing Android device for learning how it works.
I set Mikrotik->Firewall->Mangle with action "Sniff TZSP" and I can capture my testing device in Wireshark.
I see all connection in Wireshark but I can't catch Adguard specific ones.
Is there the way to fight with such a local vpn?
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: How to block Adguard LOCAL VPN

Tue May 30, 2023 3:58 pm

Incorporate some MDM solution for company devices for managing installed software and configuration on them and deny personal other to connect on that network. Not sure there is a ultimate solution on MT that can block all kind of VPNs and proxies, unless you implement reverse logic - not to block something, but to allow only specific hosts/domains/IPs....
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to block Adguard LOCAL VPN

Tue May 30, 2023 6:57 pm

Also my understanding you need an application level gateway or some service (untangle comes to mind but they were bought out, so its Arista Now!
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: How to block Adguard LOCAL VPN

Tue May 30, 2023 7:08 pm

Also my understanding you need an application level gateway or some service (untangle comes to mind but they were bought out, so its Arista Now!
or Cisco Umbrella...
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: How to block Adguard LOCAL VPN

Tue May 30, 2023 11:09 pm

Adguard essentially reinvented and improved SSTP. But now it is adguard proprietary protocol instead of Microsoft proprietary protocol. I use SSTP for the exact same reason - for most firewalls it looks like a big HTTPS download. Adguard went even further and makes multiple smaller connections. IMHO not distinguishable from an ordinary Web browsing.

Anyway, as others pointed out, you would need a different device,whhich would have to decrypt the traffic. That isn't really an option on mikrotik.
 
vitaly2016
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Wed Jan 20, 2016 9:26 am
Location: Ukraine

Re: How to block Adguard LOCAL VPN

Thu Jun 01, 2023 9:40 am

Adguard essentially reinvented and improved SSTP. But now it is adguard proprietary protocol instead of Microsoft proprietary protocol. I use SSTP for the exact same reason - for most firewalls it looks like a big HTTPS download. Adguard went even further and makes multiple smaller connections. IMHO not distinguishable from an ordinary Web browsing.
Thank you for the hint about SSTP.
So further searching for "detect sstp" led to another hint:
SSTP can be detected using a regular Mikrotik. It is enough to check for the presence of the sni header in the clienthello packet. If it is not there, we most likely have SSTP
None of clients of our network use SSTP, so I would like to block any SSTP traffic.
How to block SSTP practically using the "sni header" hint above?
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: How to block Adguard LOCAL VPN

Thu Jun 01, 2023 11:09 am

Bad employer, bad.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: How to block Adguard LOCAL VPN

Thu Jun 01, 2023 6:11 pm

None of clients of our network use SSTP, so I would like to block any SSTP traffic.
How to block SSTP practically using the "sni header" hint above?
Even if you somehow block this, how do you plan to block for example Shadowsocks + v2ray on 443 port with TLS1.3?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How to block Adguard LOCAL VPN

Thu Jun 01, 2023 6:15 pm

Let's say it can block all connections without SNI...
Now pretty much all Google & Co. are on TLS 1.3, so that would block everything...


P.S.: With a little bit of knowledge, and unblocked Google services, it is possible to bypass any firewall/filter without the slightest problem... (I'm not referring to DNS...)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to block Adguard LOCAL VPN

Thu Jun 01, 2023 6:18 pm

Who owns adguard, the FSB? ;-)
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: How to block Adguard LOCAL VPN

Thu Jun 01, 2023 6:53 pm

Even if you somehow block this, how do you plan to block for example Shadowsocks + v2ray on 443 port with TLS1.3?
You can ask this from the IR government, they successfully blocked it.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: How to block Adguard LOCAL VPN

Thu Jun 01, 2023 6:56 pm

They didn't block it for cheap.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: How to block Adguard LOCAL VPN

Thu Jun 01, 2023 7:05 pm

No, What they did was putting a significantly higher price for services. So they can use our own F money for doing the F filtering.
They are cheap as F.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: How to block Adguard LOCAL VPN

Thu Jun 01, 2023 7:23 pm

You can ask this from the IR government, they successfully blocked it.
By these comments here https://github.com/net4people/bbs/issues/171 they are just throttling upload. I guess they are identifying large TLS traffic to single outside country endpoint (with maybe exclusion of some common safe domains) as suspect and then throttle upload to that endpoint which limits then vpn/proxy connection speed to point of uselessness.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: How to block Adguard LOCAL VPN

Thu Jun 01, 2023 8:00 pm

I guess they are identifying large TLS traffic to single outside country endpoint (with maybe exclusion of some common safe domains) as suspect and then throttle upload to that endpoint which limits then vpn/proxy connection speed to point of uselessness.
IR has different types of censorship on different ISPs.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: How to block Adguard LOCAL VPN

Thu Jun 01, 2023 8:09 pm

Yes, depends what is used. I was initially mentioned proxy with protocol obfuscation, which is encrypted socks5 proxy protocol encapsulated into HTTP request (POST) over TLS1.3, which can't be detected as proxy connection exactly, but it can be suspicious due to amount of upload traffic to single service.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: How to block Adguard LOCAL VPN

Tue Jun 06, 2023 4:40 am

SSTP can be detected using a regular Mikrotik. It is enough to check for the presence of the sni header in the clienthello packet. If it is not there, we most likely have SSTP
How to block SSTP practically using the "sni header" hint above?
That is unfortunately not true. See packet from my SSTP VPN handshake which clearly shows SNI extension:
Wireshark_JtXiGFUj7U.png
The same will apply for any other TLS encrypted traffic, no matter what it is. TLS is standartized protocol for encryption, fully independent from the data inside. Be it video stream, website, large file download, vpn ... it will all look same.
You do not have the required permissions to view the files attached to this post.
 
vitaly2016
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Wed Jan 20, 2016 9:26 am
Location: Ukraine

Re: How to block Adguard LOCAL VPN

Wed Jun 07, 2023 10:51 am


How to block SSTP practically using the "sni header" hint above?
That is unfortunately not true. See packet from my SSTP VPN handshake which clearly shows SNI extension:
The same will apply for any other TLS encrypted traffic, no matter what it is. TLS is standartized protocol for encryption, fully independent from the data inside. Be it video stream, website, large file download, vpn ... it will all look same.
@anav was right concerning who owns Adguard...
I did some research and came to a clear conclusion: Adguard belongs to the russian intelligence services. FSB do not invest money in this system in vain, they need such a system.
If anyone doubt it, just look at what a powerful server infrastructure they have built. To do this, it is enough to look at the information on the otx.alienvault.com by domains:
adguard-servers.jpg
Most of servers are at cloudflare, but the key servers are in terrorist state russia.
So I decided not to waste my time on Adguard and just blocked "cunning" user until he removed russian crap from his phone.
You do not have the required permissions to view the files attached to this post.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10184
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to block Adguard LOCAL VPN

Wed Jun 07, 2023 11:29 am

Now you have identified one VPN that you do not like, and you may be able to block it in some way, but you will have to live with the fact that there are many different VPN providers, from "good" and "bad" guys, and that you will never be able to block them all.
So your original design assumption that you can block sites (for security or whatever) using a Pi-Hole DNS server unfortunately is no longer valid.

Who is online

Users browsing this forum: GoogleOther [Bot], HugoCar, lurker888, pajapatak and 89 guests