This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Can ZD1200 block VPN access like Psiphon ?

vincent_voo
New Contributor III

‎03-03-2021 12:59 AM

Currently we have situation where captive portal can be bypassed  if the client uses VPN connection like Psiphon.

Also understand that network access is not given until the user has authenticated thru captive portal. However some user are still detected possible to access thru internet use VPN software like Psiphon.

Is there possibility application denial policy on ZD1200 able to block this kind of VPN access ?

0 Kudos
8 REPLIES 8

abilashpr
Contributor III

‎03-03-2021 07:21 AM

Hi Vincent,

"192.168.40.10" should be your internal DNS server IP or it could be Google/One DNS server IP, so DNS traffic destined to that IP in this case (192.168.40.10) only will be forwarded and DNS traffic destined to other IP will be dropped.

portal-auth-force-dns-server <your dhcp server>

Hope it helps.

Regards,

Abilash PR

vincent_voo
New Contributor III
In response to abilashpr

‎03-03-2021 07:44 AM

Hi Abilash,

Noted on that. I will try and verify on this.

Thank you for the help.

0 Kudos

eizens_putnins
Valued Contributor II

‎03-04-2021 03:06 AM

Basically this means that Psiphon uses port 53 to establish VPN connection instead of making DNS requests, so if you allow DNS traffic to any server in unauthorized state,  VPN can be established.

Any firewall can (and should) block that easy enough. DNS IP must be provided by DHCP server, and no other servers should be permitted. But it probably is not the case on many badly configured hotspots around the world, so Psiphon works there.

Of cause, there is a small question, why Psiphon is interested to provide free services, which require quit a few servers to be installed and run on different locations -- what are they benefits from that?

And don't say they are doing it because they want to help users... There may be different reasons -- selling data, mined from this connections, is the best scenario.

0 Kudos

syamantakomer
Community Admin
Community Admin

‎03-10-2021 01:48 PM

Hi All,

This issue is already fixed in ZD 10.1 or higher versions and for v/SZ 5.2 and above.

If you see this issue on 10.1 or higher version, please report it to support.


Syamantak Omer
Sr.Staff TSE | CWNA | CCNA | RCWA | RASZA | RICXI
RUCKUS Networks, CommScope!
Follow me on LinkedIn
0 Kudos
Copyright © 2024 Khoros, LLC