So, I have a specific user that is bypassing my FWG+ rules through VPN. Of course, I have the typical “Block VPN Sites” turned on within the firewalla hardware. However, I think that list is very hard to maintain by those who do. So, I have had to manually block certain IP addresses as they become connected, which is a never ending game of Whack-A-Mole.
Now, because this user is using a specific VPN service company, he is connecting to one of 6,000 IP addresses registered to a specific ASN. Now, I can go in, extract those IP addresses, create custom lists (which is only limited to 200 entries per), and then create block rules on that user. However, there are only a certain amount of custom lists allowed (20).
So, two questions:
Does anyone have a recommendation on how to win this game of Whack-A-Mole using the FWG+?
Is there a way to block via ASN instead of by IP or domain name?
This is one gap that Firewall Team should be able to help with. I would want to block the geo org: example, ipvanish, nord vpn, M247, all low cost vpn provider. I know Palo, fortinets and some SonicWalls show this information and you can utilize that to block those VPN connections, or low cost vpn providers.
Hopefully you find a technical solution, but failing that, what about an administrative one? You know they are bypassing the security measures. Advise them that you know that, and that if they continue to do so, there will be actions taken. They’re putting your network at risk, and you ought to be within your rights to address that accordingly.
Try blocking the port? Like block 51820 should work if you block it on your internal to external network… Since it already sounds like you know the vpn provider, you could also just spot check a few configs to see if they use non standard ports.
I think, when they started this adventure they were targeting home users; so I feel like the business tools we would expect are coming as they’ve started the MSP portal for business. They will have to get up to par on some aspect with more granular firewall rules and stuff to meet more business demanding admins.
I have high hope and good faith in these guys! I can post a list of all low cost vpn providers later this evening, maybe if we can provide them with that, they could at least add it as a target list or something.
I did consider that, and while that is great for blocking Wireguard, it still leave OpenVPN protocols available since they connect on Port 433 which is also used for https connections. I dont want to block 443 port because that would make things unusuable. I have gone ahead, now, and blocked all the other common VPN UDP ports thanks to this advice.
You can also go to devices->[kid device]->network flows and sort the traffic, look at the top upload. If it is all to a strange destination, just block that.
i don’t use Ovpn, so I’m not remembering if the same and alternate tcp/udp ports are used with https also.
But even with 443 blocked leaving, even though your requests aren’t leaving as https, most browsers (or via plugin) can force https, so you may still get https pages. Then because of the session being connected it should allow https for you. At least that’s what I’m thinking and expecting would be the case.
Because the ovpn connection isn’t successfully established, it should continue blocking… Which is why I’m thinking it might work.
