Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Untangler
    Join Date
    Mar 2012
    Posts
    58

    Default VPN and proxy issues

    Hi everyone,

    I have spent the past 6-9 months trying to stay on top of this, but I feel I am losing the battle.

    Our students bring their own laptops to school (no MDM--various platforms, from Windows and Mac to Chrome OS). Many of them (probably 40-50) are using VPNs--this has been validated by teachers using the eyeball test on many, many occasions. Most of the VPNs are browser-based (such as UltraSurf or ZenMate on Chrome), but there are a wide variety of types in use. Almost all I ever get from Untangle logs is /TCP/SSL/, /TCP/SSL/HTTP, or /TCP/SSL/HTTP2.

    I desperately need to have a way to know if students are using a VPN, but the signatures are simply not getting it done. For the first time in 5+ years, I have been researching other firewall solutions, but my findings have not been very encouraging.

    Can anyone point me in the right direction here? In our situation, a firewall is mostly for the purposes of filtering, and that is not happening right now.

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,048

    Default

    It's an arms race between browser VPNs and firewall filtering. Application Control on Untangle updates their signatures for most browser VPNs constantly but VPNs also test with those signatures so the VPNs will come out with an update. So the best method is a combination of firewall and human policy. Reviewing the reports will show who is using VPN by the amount of non-http and https traffic and having a consequence to using VPN.

    Another option is to require root certificate installation to get on the network so the firewall can more accurately detect the traffic.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangler
    Join Date
    Mar 2012
    Posts
    58

    Default

    John, when you say "the amount of non-http and https traffic" are you suggesting that 100% SSL usage is probably a VPN, whereas a mix (say 90/10 or 80/20) would indicate a typical connection? How exactly are you suggesting that the reports can help to tell who is using VPN?

    PS - All of our students already have the root certificate installed.

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,048

    Default

    What I was referring to is that VPN use ports 80 and 443 commonly to avoid blocked ports but the sessions across them are not /TCP/HTTP(S) sessions so they tend to stick out to the human eye.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangler
    Join Date
    Mar 2012
    Posts
    58

    Default

    As I said before, almost all I ever get from Untangle logs is /TCP/SSL/, /TCP/SSL/HTTP, or /TCP/SSL/HTTP2, so it's difficult to make any solid conclusions based on that.

  6. #6
    Untangler
    Join Date
    Mar 2012
    Posts
    58

    Default

    If I post some screenshots of when a student was using a VPN, would that help?

  7. #7
    Master Untangler lszalontai's Avatar
    Join Date
    Sep 2010
    Location
    Hungary
    Posts
    123

    Default

    Can you list a few VPNs they're using?

    I'm using UT without SSL inspector and it still successfully detects a lot of VPNs. You mentioned ZenMate as an example - UT can definitely detect that.

  8. #8
    Master Untangler deleted_account+152373@untangle.com's Avatar
    Join Date
    Sep 2016
    Location
    Malta
    Posts
    455

    Default

    Quote Originally Posted by lszalontai View Post
    Can you list a few VPNs they're using?

    I'm using UT without SSL inspector and it still successfully detects a lot of VPNs. You mentioned ZenMate as an example - UT can definitely detect that.
    Ultra surf chrome extension and opera VPN definitely gets through
    I like to listen. I have learned a great deal from listening carefully. Most people never listen

  9. #9
    Master Untangler
    Join Date
    Aug 2016
    Posts
    193

    Default

    I had a teenage son that was quite adept and finding a VPN that would get through Untangle.

    I also had to put some firewall rules as the VPN of the day would thankfully always use the same port or use server names that were predictable and made it easier to block if the VPN app tried to flip to another server (like applefruit.com, pearfruit.com ... and hence I would block *fruit.com ... I can't remember the exact names ... but you get the idea).

    Unfortunately, the signatures do not always work. I have also found that from a Web Filter perspective, "applefruit.com" would be listed as a "News" site and thus not blocked. I would indeed go to the web site and there would be this very crude website with some news on it, but the news was like 5 years old. I reported it and suggested a change, but I think because of the "news" on the website, it never changed. I forget which VPN that was. It took me a bit to figure that out as I saw the site on my logs, but my son was also doing a "news" homework assignment and hence I initially thought it was legit.
    Untangle 14.2.1 (Build: 14.2.1.20190814) (Kernel: 4.9.0-9-untangle-amd64)
    QOTOM-Q355G4
    1.6-2.7 GHz Intel I5 5250U, 128GB SSD mSATA, 8GB RAM DDR3L, 4xRJ-45 Intel I211AT 10/100/1000 Controller

  10. #10
    Master Untangler lszalontai's Avatar
    Join Date
    Sep 2010
    Location
    Hungary
    Posts
    123

    Default

    I did some random vpn testing last week with my coworker. We tested ultrasurf chrome add-in and opera vpn as well, among others. UT does see both of them.

    Here is our recipe in case of interested:
    • we're only allowing DNS requests to go through our internal DNS server
    • internal DNS server is using OpenDNS
    • clients detected using unwanted applications (vpn, torrent, etc) are put into 'penalty box'
      • they receive a custom Captive Portal message saying "you've been a bad boy, your device is in penalty box for the next 5 hours" (not a word-by-word transcript :-) )
      • Bandwidth Control sets their sessions to 'Limited severely'
      • they get a very small quota
      • a trigger rule gives them a tag when the quota is exceeded
      • a filter rule blocks all traffic for clients with the 'overquota' tag

    • Web Filter blocks peer-to-peer, anonymizer, hacking sites (of course there are other blocked categories)
    • Application Control blocks all tcp 443 traffic that is not https (there are exceptions for Messenger, Facebook, Whatsapp on port 443)
    • application control tarpits all applications categorized as 'Proxy' (not tarpitting VPN or torrent categories though, only flagging them)
    • using a few customs Bandwidth Control rules to detect specific VPNs (I can share them if you want)


    Also as I wrote earlier we're not using SSL Inspector.
    To be honest I'm not 100% sure why or how our setup works, but it does. Obviously it's not perfect and I'm pretty sure there are students who can go around (virtual cloud desktops for example), but for most people (especially for new vpn users) it works well. By using the penalty box method, we can also 'teach them to behave'.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2