Page 1 of 3 123 LastLast
Results 1 to 10 of 21
  1. #1
    Untangler
    Join Date
    Apr 2019
    Posts
    32

    Question Helping Blocking BetterNet VPN - Please

    Hey fellow Untanglers

    I am trying to block Betternet, failing on that one, since I know it uses Amazon AWS first, then issues a login after that using port 443. I cannot block https for obv reasons. I have succeeded in blocking StarVPN, ExpressVPN and VPN +, but no joy with Betternet

    Anyone got any sharp ideas, this is a big challenge

    For phones is ok, since I can use the Application layer

    For laptops and BYOD on the LAN going out, with clients that already have BN installed, I cant seem to block it

    Let's see if anyone out there can solve this one. a SS of my Filter rules attached

    Thanks all
    Attached Images Attached Images

  2. #2
    Newbie deleted_account+263757@untangle.com's Avatar
    Join Date
    Jul 2019
    Location
    Malta
    Posts
    10

    Default

    BetterNet , ultrasurf, opera vpn all get through.

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,162

    Default

    You can't block it, but with application control, and bandwidth control you can flag the unit using it and stuff it into the penalty box. Between that and app control's tarpit, the computer will be all but useless online until its user grows a brain.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Newbie deleted_account+263757@untangle.com's Avatar
    Join Date
    Jul 2019
    Location
    Malta
    Posts
    10

    Default

    Quote Originally Posted by sky-knight View Post
    Between that and app control's tarpit, the computer will be all but useless online until its user grows a brain.

  5. #5
    Untangler
    Join Date
    Apr 2019
    Posts
    32

    Default

    oh no -thats not good

  6. #6
    Untangler
    Join Date
    Apr 2019
    Posts
    32

    Default

    ok, I get that the application control can block it on phones, but how can anything be acheived through bandwidth control. I dont see or cant find a way to ID that traffic, if I could ID that, yeah, then could you BC for that and bring it to a halt. Could you help me with that, give me some pointers please Ninja!

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,162

    Default

    This is easier than you'd think, but kind of annoying too.

    First, open up Application Control, look in the applications tab, and find the line for BETTRNET. Set that to tarpit, and flag. Do NOT set it to block! This is important, because these sorts of things will evade detection. If you attempt to block it, the app will just adjust its traffic such that you can't see it inside the rest of the HTTPs flying around.

    Beyond that, make a note of the application name, BETTRNET.

    Then open up Bandwidth Control, make a new rule on the rule tab.

    The condition you're looking for is Application Control: Application is BETTRNET

    That list SCROLLS, so watch out! After you find that the rest is:

    Action type = tag host
    Tag Name= penalty-box
    Tag Time (seconds) = however long you want that entire machine to be a slug.

    You should have a default Apply Penalty Box Penalties rule already there. So you're now set.

    Also, beware I think the values in here are case sensitive, but I'm not certain. I've always just matched them exactly to be safe.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,866

    Default

    ^^^What he said.

    I'll add that in my experience this actually works much better with very short penalty times... even just 5 minutes or so. It seems counter-intuitive, but shorter times help the user learn faster what is causing their device to be slow. The connection should return to normal fairly quickly after they stop the bad behavior, so the user can make the association and learn from it.

    With longer times they just think your internet connection is just always like that, and nothing ever changes.

    While they keep doing the bad behavior, Untangle will keep seeing new detections and extending the penalty, so it's not like you're giving them a pass after a few minutes if you set the penalty time real low.
    Last edited by jcoehoorn; 10-24-2019 at 06:28 PM.
    timfisher2000 likes this.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.2 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  9. #9
    Untangler
    Join Date
    Apr 2019
    Posts
    32

    Default

    Thanks, I am trying this, but I still see that BN is getting connected. I have tarpited it, and set Bandwidth rules as suggested, I set the time to 36000 seconds (10 hours) Using a test client, with BetterNet VPN on a Laptop running MAC OS, with the correct policy (Students) I can connect the VPN software, and traffice flows at the same rate as device not connected to a VPN, so I am not sure what is happening here. Is there an easy way to Monitor/see that specific application traffic. If i check the sessions view for the IP given to that laptop, I dont see any traffic, since it now goes via the connected BetterNet vpn software, and bypasses Untangle.

  10. #10
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,866

    Default

    If traffic flows at the same rate, you're not getting the rule set properly.

    Even with the rule set properly, it will still connect. You won't be able to stop that. These products have a way to keep mutating the protocol until they find a way to evade detection. You have to allow them to connect, but them starve them for bandwidth so little or nothing useful can be done. The goal here is to frustrate the guilty, rather than stop them outright, enough so they give up the behavior.

    That's why I recommended a shorter penalty time. 10 hours is way too long, IMO. You can't get users to modify behavior until they learn to associate the corrective behavior (turning off the vpn) with the good result (internet gets fast again), and that can only happen if reward comes much more quickly than 10 hours.

    For monitoring the traffic, use the "Sessions" link at the top of the Untangle page.
    Last edited by jcoehoorn; 10-24-2019 at 07:46 PM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.2 to protect 500Mbits for ~450 residential college students and associated staff and faculty

Page 1 of 3 123 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2