CleanBrowsing provides a DNS-based content filtering service, but like most DNS services it is limited by what is happening on the network it is being deployed on. While our system will work to block access to VPN sites, its effectiveness is limited to what the network, and local device, allow. In this article we will explore VPN's, explain what they are, how they work, and propose recommendations that can be deployed to help stop the use of VPN's on your network.
The principles are the same for a large enterprise, as they are for a parent, so we will focus on the lowest common denominator of a parent who likely doesn't have the skills, or technical knowledge to do this on their own.
Virtual Private Networks (VPN) are tunnels that can be created inside your existing network. They create a private environment inside your existing network that opens a window to the outside world ignoring all the restrictions you might have in place. They are especially difficult to work with, and when used have the ability to circumvent almost all attempts to restrict content.
VPN's were originally created as a way to allow a user to access information that is only accessible inside a network, securely, from a location outside of said network. It's application, however, has evolved dramatically since its inception.
Today, in addition to what companies use it for, it is the preferred method to circumvent network restrictions. Those restrictions might be imposed by a streaming provider, think Netflix disabling shows in Europe, or other parts of the world. Similar restrictions might be imposed by network administrators like parent, companies, and even Internet Service Providers (ISP).
How VPN's Work
VPN's create a tunnel outside of your network to another server on the internet. This tunnel wraps all the communication inside a secure wrapper (i.e., encrypts the data) and gives the user unfettered access to the internet. It's a users preferred method of bypassing content filtering services. This secure wrapper makes it impossible to see what they are doing, and also allows them to do, and see, whatever they like.
The issue with blocking VPN's is in the way they function. In most instances, a DNS service like CleanBrowsing will detect and render a VPN useless, but there are instances in which that is not possible. This is typically when a VPN does not make use of traditional DNS, or they go directly to their own DNS services bypassing traditional DNS services.
In scenarios like this, it makes it exceptionally difficult for any DNS service, or filtering provider to help block the use of a VPN. This is further complicated by how accessible VPN's are. Today a user is able to find a VPN inside their browser, local device and embedded inside existing applications.
What they all have in common, however, is that they all typically use a known set of protocols. This is top to avoid, and will be important when you work to block access.
Point-to-Point Tunneling Protocol (PPTP)
Secure Socket Tunneling Protocol (SSTP)
Layer 2 Tunneling Protocol (L2TP)
Internet Protocol Security (IPsec).
L2TP with IPSec
Layer 2 Tunneling Protocol (L2TP) with Internet Protocol Security (IPsec)
open-source commercial software. It uses a custom security protocol that utilizes SSL/TLS for key exchange.
Internet Key Exchange version 2
It is important to understand that these are the different protocols VPN's use because it will become important when you are working to disable their access. This is not a comprehensive list of the different port combinations, but it does show the most common options.
If you are concerned about a VPN you should not allow the Opera or Firefox browsers to be installed. They provide VPN's embedded into the browser in the name of "privacy". While great for an adult, it's a horrible option for a child, someone struggling with addiction, or a number of other use cases. We recommend those browsers be removed and you use your content filter to restrict the ability to install them later.
A lot of Anti-Virus applications have VPN's embedded into the application. We recommend disabling the feature from your devices, restricting it behind an administrators account or switching to a provider that doesn't include it.
We also recommend taking a proactive approach to hardening mobile devices. The biggest mistake we see is giving a mobile user full control of their device. They have the ability to install whatever they want, when they want and this allows the user to leverage VPN's and other evasion technologies. The most effective approach to mitigating this is to ensure they don't have full administrative rights, and leverage parental control features when available.
In addition to being embedded inside an existing application, most VPN's require the user to download an application to their local machine to work. The easiest way to mitigate this exposure is to a) block access to VPN sites via services like CleanBrowsing, and b) restrict the users ability to install VPN's in the first place.
Block VPN's at the Network Level
The most effective way to restrict VPN's on your network is to do it at your routers firewall. The limitation here will be your technical knowledge and the features provided by your router.
The remainder of this article will show you how to disable VPN's on your network using a Netgear Orbi router. It's impossible to account for every router combination, but conceptually the idea is the same.
Example: Blocking VPN using Netgear Orbi Router
In most instances the feature you want will be found inside the Advanced or Security menu options, but might be located else where.
Using the knowledge we learned above, we will create a new rule in our router that blocks specific protocols and ports. This will apply to the entire network, which will include every device that connects to it.
In a Netgear Orbi, this is located inside Security > Block Services.
The example shows what the final output will look like. In it, I have added a series of rules, each designed to block a specific Protocol, and port (individual or range). When you don't know what VPN is being used, it's best to block the most common options which is what we provided above.
If you do know, you can look up the specific VPN and research the protocols and ports they typically use. Note that the most creative VPN's, although restricted to the protocols they can use, can get creative with the ports they leverage.
Browse the web without surprises. CleanBrowsing automatically blocks adult content, while allowing Google, Youtube, Bing, DuckDuckGo and the rest of the web to load safely. It only takes 5 minutes to enable the service for free and with nothing to install.