03-03-2021 12:59 AM
Currently we have situation where captive portal can be bypassed if the client uses VPN connection like Psiphon.
Also understand that network access is not given until the user has authenticated thru captive portal. However some user are still detected possible to access thru internet use VPN software like Psiphon.
Is there possibility application denial policy on ZD1200 able to block this kind of VPN access ?
03-03-2021 07:21 AM
"192.168.40.10" should be your internal DNS server IP or it could be Google/One DNS server IP, so DNS traffic destined to that IP in this case (192.168.40.10) only will be forwarded and DNS traffic destined to other IP will be dropped.
portal-auth-force-dns-server <your dhcp server>
Hope it helps.
03-03-2021 07:44 AM
Noted on that. I will try and verify on this.
Thank you for the help.
03-04-2021 03:06 AM
Basically this means that Psiphon uses port 53 to establish VPN connection instead of making DNS requests, so if you allow DNS traffic to any server in unauthorized state, VPN can be established.
Any firewall can (and should) block that easy enough. DNS IP must be provided by DHCP server, and no other servers should be permitted. But it probably is not the case on many badly configured hotspots around the world, so Psiphon works there.
Of cause, there is a small question, why Psiphon is interested to provide free services, which require quit a few servers to be installed and run on different locations -- what are they benefits from that?
And don't say they are doing it because they want to help users... There may be different reasons -- selling data, mined from this connections, is the best scenario.
03-10-2021 01:48 PM
This issue is already fixed in ZD 10.1 or higher versions and for v/SZ 5.2 and above.
If you see this issue on 10.1 or higher version, please report it to support.