Is there anyway to know if someone is using a VPN on our router too bypass OpenDNS?

Comments

9 comments

  • Avatar
    stoteda

    Since you used the word "family", the answer is...yes, someone in your family is using a handy iPhone utility to evade your carefully curated "to block" list.  It's likely Betternet or TouchVPN.  The short of it is that you need to work on blocking the ports used for DNS, with the exception of OpenDNS IP addresses.  Then you need to spend the rest of your time trying different combinations of things to lock down the firewall on your rinky dink router.  I have found this to be a major task.  I have still not cracked the code on how to stop TouchVPN without stopping all HTTPS traffic. I have blocked a handful of their proxy servers, but I can't seem to find a good list for all of them. 

    At some point you'll upgrade your router, and then a few months later consider severing all communication lines with the outside world out of frustration.  Of course that "someone in your family" has already hacked into their school WiFi, and has bypassed any restriction you placed on the iPhone that you bought them.  I've ended up putting strict MAC address filtering in as well...

    Good luck!  

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    @jhamons 

    "a VPN on our router"

    A VPN client program normally does not run on the router, but on the end user device, unless someone else has full access to the router's administration and knows how to install a VPN client on it.  Therefore "using a VPN from their iphone" is the better expression.

    iPhones (i.e. iOS) has nice restrictions built in.  Visit Settings > Common > Restrictions to impose them.

    Regarding blocking VPN traffic on the router, you'll want to create outbound firewall rules which block the related ports and protocols.  Most VPN traffic is UDP, rarely TCP.  Just blocking non-OpenDNS DNS traffic will not catch the VPN traffic.

    0
    Comment actions Permalink
  • Avatar
    jhamons

    Ok --- can I tell by looking at Domains in the logs if  aVPN is being used?

     

    If a VPN is being used --- would domains still show in logs?

    0
    Comment actions Permalink
  • Avatar
    stoteda

    Rotblitz,

    I think Jhammons described it correctly.  They wanted to know if someone in his family may use a VPN client  to bypass the OpenDNS logs, and presumably the restrictions. 

    Havng spent a fair bit of time trying to restrict this on our network, I wanted to share observations.

    - blocking VPN ports typical used will block normal VPN clients, but not the ones used by half the student population in any given high school. 

    - it's also important that you don't simply let someone change the DNS settings.  Unless you really lock down an iPhone, it's easy to type in Google DNS and it will be resolved by Google, even if you had Open DNS in the router.  You have to explicitly prevent another DNS service by restricting the ports to only pass traffic to the OpenDNS.

    - clients like Betternet can be blocked by continually updating the ports typically used by the app. I've been successful with searching for this and seeing lists posted. 

    - I have still not had luck blocking TouchVPN. I understand it is not really a VPN, but an SSL encrypted connection to a proxy, and short of blocking normal browsing, you would have to know all of the IP addresses used in advance to block them in the firewall. I seem to have figured out a few, and it takes a while for the client to establish a connection....but it does. 

    All of this in not specifically related to OpenDNS, but if Jhammons was like me, they thought setting up OpenDNS would be the way to keep the users on their network from accessing the sites they blocked.  I learned it's not so easy. 

    I'd love some advice on TouchVPN ( Northghost ).  

    0
    Comment actions Permalink
  • Avatar
    stoteda

    Jhammons,

    What I tend to see is the domain like Betternet or Northghost blocked by OoenDNS, but the client still functions.  Once the client link is established they are tunneled and all you will see is a LOT of SSL and Secure HTTP traffic, presumably due to all the video traffic. Don't get too hung up on blocking only VPN though, it's relatively easy to block normal VPN clients. Most routers, even consumer ones have settings to do this.

     The clients you are trying to block use a variety of techniques.... I am still learning about one called Hydra, which is multi-hop, multi- destination.  

    I am not a professional IT person, but I started with OpenDNS and found my adversaries were far more sophisticated than me!

    0
    Comment actions Permalink
  • Avatar
    jhamons

    at this point --less interested in actually blocking and more just interested in seeing if it is being used.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    @jhamons 

    Clearly, because VPNs circumvent OpenDNS, you cannot see anything in the OpenDNS stats and logs.  To catch this traffic, you had to run a sniffer or a proxy server in your network where all traffic must go through.  Only the DNS traffic served by OpenDNS appears in the stats and logs.

    0
    Comment actions Permalink
  • Avatar
    jhamons

    Thank you -- I clearly don't know what I'm talking about.

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    You know what you're talking about.  And I'm sure you understand now that OpenDNS can log only DNS traffic which they see from you, not DNS traffic going to a VPN's DNS service.

    0
    Comment actions Permalink

Please sign in to leave a comment.