cancel
Showing results for 
Search instead for 
Did you mean: 

Can ZD1200 block VPN access like Psiphon ?

vincent_voo
New Contributor III

Currently we have situation where captive portal can be bypassed  if the client uses VPN connection like Psiphon.

Also understand that network access is not given until the user has authenticated thru captive portal. However some user are still detected possible to access thru internet use VPN software like Psiphon.

Is there possibility application denial policy on ZD1200 able to block this kind of VPN access ?

8 REPLIES 8

abilashpr
Contributor III

Hi Vincent,

"192.168.40.10" should be your internal DNS server IP or it could be Google/One DNS server IP, so DNS traffic destined to that IP in this case (192.168.40.10) only will be forwarded and DNS traffic destined to other IP will be dropped.

portal-auth-force-dns-server <your dhcp server>

Hope it helps.

Regards,

Abilash PR

Hi Abilash,

Noted on that. I will try and verify on this.

Thank you for the help.

eizens_putnins
Valued Contributor II

Basically this means that Psiphon uses port 53 to establish VPN connection instead of making DNS requests, so if you allow DNS traffic to any server in unauthorized state,  VPN can be established.

Any firewall can (and should) block that easy enough. DNS IP must be provided by DHCP server, and no other servers should be permitted. But it probably is not the case on many badly configured hotspots around the world, so Psiphon works there.

Of cause, there is a small question, why Psiphon is interested to provide free services, which require quit a few servers to be installed and run on different locations -- what are they benefits from that?

And don't say they are doing it because they want to help users... There may be different reasons -- selling data, mined from this connections, is the best scenario.

syamantakomer
Community Admin
Community Admin

Hi All,

This issue is already fixed in ZD 10.1 or higher versions and for v/SZ 5.2 and above.

If you see this issue on 10.1 or higher version, please report it to support.


Syamantak Omer
Sr.Staff TSE | CWNA | CCNA | RCWA | RASZA | RICXI
RUCKUS Networks, CommScope!
Follow me on LinkedIn