Blocking VPN's so students can't go to blocked websites

Acclaim Academy Tech Squad · Mar 28, 2014

Is there anyway to block VPN's on the students issued tablet from the server? The tablet's are Windows RT also known as Windows Surface's. We have been having a trouble with students using VPN's to get around the firewall and to block the websites we use Untangle but it won't block the VPN Access. If needed I can provide the specifications of the server once I get them from my mentor. (I am a student but I am on the tech squad because I know a decent bit of stuff) I was asked to figure out how to block the VPN's so they will not get access to Facebook. Thank you.

snakebitex · Mar 28, 2014

So lets see.
For PPTP VPN connections, you need to open TCP port 1723 (for PPTP tunnel maintenance traffic). PPTP also uses IP port 47 for tunneling data. Port 47 is designed for "General Routing Encapsulation" or GRE packets.

For L2TP VPN connections, you need to open UDP port 500 for Internet Key Exchange (IKE) traffic and UDP port 1701 for L2TP traffic.

So I guess you block the above ports and you are ok .

Acclaim Academy Tech Squad · Mar 28, 2014

snakebitex :

Thank you we will try that

COLGeek · Mar 28, 2014

Do the students have admin rights on the RTs? If so, why?

Also, from the router/firewall, you could simply blacklist those sites. Have you noticed a pattern of frequently used sites?

USAFRet · Mar 28, 2014

For untangle:

Firewall
Add rule
Type = Source interface
Value = OpenVPN
Action Type = Block

I 'think' this is it.

rusabus · Mar 28, 2014

Some VPNs send traffic over TCP port 80 or 443, which are the ports used for normal web browsing. I assume you use a proxy server at school. That can help, but some VPNs can even send their traffic through a proxy server. Blocking all VPN access is a real challenge, and no matter how good you are at it, it will be you against a few hundred kids who will all be trying to find work-arounds.

I think your best chance to do this with technology will be by configuring your proxy server to block VPN traffic and your firewall to block all but a few outbound ports. But you're going to have better success using an acceptable use policy to block those sites. If you have an AUP that states "Access to social networks is forbidden" and make the penalty be the loss of the device, and you enforce it, you'll have a better chance of success.

Acclaim Academy Tech Squad · Mar 28, 2014

COLGeek :

No they do not. But putting a VPN is not requiring Admin rights.

Acclaim Academy Tech Squad · Mar 28, 2014

USAFRet :

We will try this. Thank you.

bill001g · Mar 28, 2014

It is almost impossible to block all this stuff.

You cannot block true sslvpn. The only reason you can block openvpn is that is does not really use true SSL it cheats on the session setup a little and signatures have been developed to detect this non standard ssl. Openssl though does follow the standards so your hacking users just have to use that to bypass you

The VPN appliances we use for a corporate remote access from both juniper and cisco use activex based clients that load dynamically and will easily pass through any device we have found. They look exactly like https session and the only clue is that the session tend to be open longer and pass more data than a normal. So far I have not found a free vpn that will load a activex or java client dynamically but I suspect they exist.

In your particular case you do not even need a vpn to bypass your protection. VPN are normally needed for things that use non standard ports...ie games or maybe torrent. Since you are just trying to block normal web pages it is even simpler. All your hacking users would have to do is use a proxy that supports HTTPS. Even on a machine that allows NO installation of anything and no execution of java or activex you could still get access to simple web sites. A proxy is trivial to install unlike a VPN on a home machine.

You are going to have to resort to filtering all the public vpn sites and then just live with the users who are smart enough to use their home internet connection to bypass your filters.

Search

Blocking VPN's so students can't go to blocked websites

Acclaim Academy Tech Squad

Reputable

USAFRet

snakebitex

Distinguished

Acclaim Academy Tech Squad

Reputable

COLGeek

Cybernaut

USAFRet

Titan

rusabus

Distinguished

Acclaim Academy Tech Squad

Reputable

Acclaim Academy Tech Squad

Reputable

bill001g

Titan

TRENDING THREADS

Latest posts

Moderators online

Share this page