Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Blocking OpenVPN traffic
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Blocking OpenVPN traffic

We have a user on our work network who is accessing an openvpn proxy in order to bypass our network filters.

Has anyone got any tips in order to block this without blocking genuine traffic?

Comments

  • You could always drop your restrictive internet policy. They never do any good anyways.

    OpenVPN isn't pure SSL/TLS, you should be able to block it as it stands out from regular traffic. A start would be blocking port 1194, but most idiots would find a way around it.

    Thanked by 1linuxthefish
  • @darknyan said:
    You could always drop your restrictive internet policy. They never do any good anyways.

    OpenVPN isn't pure SSL/TLS, you should be able to block it as it stands out from regular traffic. A start would be blocking port 1194, but most idiots would find a way around it.

    That's what I was thinking. Once connected looking at our Watchguard it doesn't show any traffic at all which is worrying.

    If they're using AS they can simply login and change the port from 1194 to whatever port they wish.

  • Dont block your internet...

    The only thing you will acompish is people trying to bypass it... sometimes with shady software/services.

    Thanked by 1linuxthefish
  • SilvengaSilvenga Member
    edited April 2014

    We can very easily make OpenVPN traffic appear just like SSL HTTPS traffic. There is no real way to block OpenVPN without blocking all encrypted traffic.

  • @Silvenga said:
    We can very easily make OpenVPN traffic appear just like SSL HTTPS traffic. There is no real way to block OpenVPN without blocking all encrypted traffic.

    What method do you use to make it show?

  • What if that user is using openvpn on port 443 tcp ?

  • SilvengaSilvenga Member
    edited April 2014

    @Gerrard8 said:
    What method do you use to make it show?

    Well OpenVPN uses SSL/TLS for encryption. But the encryption does not normally look like HTTPS traffic, but rather, OpenVPN SSL traffic - even on port 443 (which can be easily blocked). However, we (those knowledgeable about the Internet) can wrap the OpenVPN traffic in a HTTPS and run on port 443. You firewall cannot break the HTTPS encryption - and therefore will not see the OpenVPN packets inside. The OpenVPN traffic will look just like HTTPS traffic.

    I would say (biasly) that you should not block the default ports. By allowing the easiest methods you prevent workarounds. OpenVPN is very safe, secure, and manageable (won't collapse your network). By preventing normal methods, the users will use unorthodox methods resulting in a less secure and predictable environment (e.g. OpenVPN can also look like DNS queries, SSH connection, HTTPS, etc.).

    Just note, China's Firewall cannot block OpenVPN efficiently.

  • cygnicygni Member

    @cloromorpho said:
    Dont block your internet...

    The only thing you will acompish is people trying to bypass it... sometimes with shady software/services.

    This could not be repeated enough. @Gerrard8 Seriously, don't block the internet!

  • Could you not simply block his proxy's address? Also, don't block the internet please, it causes more problems than it does good.

  • you could try deep packet inspection.

  • TarZZ92 said: you could try deep packet inspection.

    My ISP just started blocking OpenVPN traffic using deep packet inspection. I use OpenVPN for all my servers so this was bad.

    I looked into OpenVPN sheathing and set up my server so that my OpenVPN traffic looked like HTTPS traffic - I am no longer detected by the ISP firewall.

  • jaakkajaakka Member
    edited April 2014

    Obfsproxy is a probable solution for you e.g obfsproxy obfs2 –dest=127.0.0.1:1194 server destination_ip:7777

    Ah yes, snort is actually capable of detecting , also you can use filters to classify traffic. However id look over the network policy and educate my users.

  • RocksterRockster Member
    edited April 2014

    darknyan said: You could always drop your restrictive internet policy.
    cloromorpho said: Dont block your internet...
    cygni said: This could not be repeated enough. @Gerrard8 Seriously, don't block the internet!

    Why everyone's repeating that nonsense? If some institution request from their system admin to prevent employees to waste their time at facebook and wow (as example) it's his job to do this.
    Forum requests to not do his job are childish.

  • This is why i said educating the users and their employers to give out meaningful tasks so the time gets used as efficently as possible

  • RocksterRockster Member
    edited April 2014

    In private sector yes, but tell this to lazy state employees buried in office...

  • Run HTTP and HTTPS through your own proxy server, and block all other traffic. Also inspect all traffic and install your firewall SSL cert on all work computers to allow for https inspection, Smoothwall does a great job at this.

    We used this method at a school I used to work at as it's a legal requirement to block all dogy stuff, although we had very lax filters with only 18+ stuff blocked. Kids <17 only had HTTP filtering, no proxy server.

    You might want to re-think your blocking policy, it sounds harsh.

  • I would say it is stupid to waste time trying to filter anything at router level.

    If you have control of client's machine, you can always install your own CA SSL to proxy their TCP 443 traffic, and thus acknowledge the content.


    But if clients are allowed to use their own machines to connect to the network, they can always use obfuscation to prevent you from detecting their dodgy TCP 443 traffic, and you can't block them efficiently without harming core functions of the network (e.g. block all TCP 443 traffic = disastrous)

Sign In or Register to comment.