Page 1 of 2 12 LastLast
Results 1 to 10 of 19
  1. #1
    Newbie
    Join Date
    Feb 2010
    Posts
    9

    Default Can't block ProtonVPN

    Hi there I'm trying to prevent users from circumventing the UT web filter by using VPNs. I started testing this using ProtonVPN and it seems no matter what I try it somehow finds a way around any attempts to block it.

    So far I've tried the suggestions mentioned in the thread "Unable to block OpenVPN IOS app" in this forum with no luck whatsoever. It seems that no matter what I try after some hesitation, ProtonVPN somehow seems to find a way through. Does anyone have any ideas on how to effectively block VPN access, specifically ProtonVPN from behind UT?

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,048

    Default

    Are you using tarpit, not block?
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    Feb 2010
    Posts
    9

    Default

    Yep, using tarpit. Here's the rule I've got in Application Control:

    Screen Shot 2019-07-18 at 6.54.45 AM.png

    And here's the successfully connected VPN session:

    Screen Shot 2019-07-18 at 7.22.59 AM.png
    Last edited by flipcide; 07-18-2019 at 04:24 AM.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,617

    Default

    Tarpit doesn't block, it just slows it down to a slug's crawl. The uselessly slow VPN will encourage the user to not use it.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,048

    Default

    Quote Originally Posted by sky-knight View Post
    Tarpit doesn't block, it just slows it down to a slug's crawl. The uselessly slow VPN will encourage the user to not use it.
    That is not correct. Tarpit drops the packet without reset so the app, specially those using UDP do not know the connection was broken.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,048

    Default

    Quote Originally Posted by flipcide View Post
    Yep, using tarpit. Here's the rule I've got in Application Control:
    And here's the successfully connected VPN session:
    One note is the rule does not stop existing sessions, only new sessions. I would try a rule with the ProtoChain instead.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Newbie
    Join Date
    Feb 2010
    Posts
    9

    Default

    I'm terminating and restarting the vpn session every time I make changes...

    I've also added the following rule:

    Screen Shot 2019-07-18 at 11.47.56 AM.png

    And I'm still able to reconnect:

    Screen Shot 2019-07-18 at 11.47.09 AM.png

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,617

    Default

    OpenVPN being UDP based, I wonder if your test session is being terminated long enough for Untangle to consider it "new".

    Because UDP will only get inspected at the beginning, then gets bypassed after that.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Newbie
    Join Date
    Feb 2010
    Posts
    9

    Default

    It's been a couple of hours since I terminated my VPN session. Just tried it again. At first it struggled for a bit and eventually timed out. Tried again and it was able to establish a connection.

  10. #10
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,048

    Default

    Do you have blocked checked for the category? If so uncheck it or use tarpit.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2