How can I prevent bypassing web authentication with Psiphon VPN?
How can I prevent bypassing web authentication with Psiphon VPN?
As the Wi-Fi service provider, we've discovered a problem. Even though users should log in with a username and password, they can avoid this by using Psiphon VPN. This means they get internet access without logging in. It's bad for our business. We need to fix this fast.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Thanks for posting in our business forum.
Alex_Mahone wrote
Please check your inbox. I have already sent the router configuration backup file. The firmware version of the router is 1.4.1 Build 20240117 Rel.57421, and the hardware version is V1.0.
Best Regards!
Here's the reply, it is doable.
Due to the portal landing page being necessary to be accessed, TCP/UDP 53 is allowed. Psiphon will use 53 to establish the VPN tunnel with the server. Which will bypass the portal authentication.
For this issue, you can set up ACL to stop this unauthorized connection. The goal is to block TCP and UDP 53.
Create a service with TCP and UDP 53. SRC port = All. DST = TCP/UDP 53.
Direction = LAN -> WAN
SRC IP = portal subnet.
DST IP = Any.
In addition to making it more secure, you can also set up DHCP.
One Allow, one deny. First one is Allow DNS. Second one is blocking. Note that the first entry is set to be !DNS_server. You also need to create this IP group in your Preference settings to specify your DNS server.
Pictures were zipped during the conversation. Yet, still readable.
BTW, it does not affect the afterwards connection. VPN still can function.
- Copy Link
- Report Inappropriate Content
Hi @LADCRUST
LADCRUST wrote
@Clive_A Hi , I'm facing a problem with Psiphon users hacking into my captive portal hotspot, and using my data. Could you please help me on how I can block Psiphon and other VPNS? I appreciate any help you can provide.
Kind regards.
How to Configure ACL to Block Unauthorized VPN Clients Bypassing the Portal
- Copy Link
- Report Inappropriate Content
Hi @Alex_Mahone
Thanks for posting in our business forum.
I have some ideas for this.
1. DPI
2. IDS
3. ACL
DPIa and IDS can be configured to avoid activities like this VPN. You can take a look at them and see if you can make it block with them. If they don't work, I think we need ACL.
So, it is using a certain range of ports. You can block from 10000 to 65543. However, this might damage certain apps when they browse through the Internet. If your web authentication is used for web browsing and messages, that should be okay.
Service Type is the place where you define the port range.
- Copy Link
- Report Inappropriate Content
Due to government restrictions, social media platforms like Facebook and informational resources such as Wikipedia are inaccessible in our country. Consequently, all users resort to VPNs whenever they access the internet via mobile data or Wi-Fi networks.
If we were to implement ACL (Access Control Lists) as suggested, it would indeed restrict access to social media platforms and other websites for all users
- Copy Link
- Report Inappropriate Content
Hi @Alex_Mahone
Thanks for posting in our business forum.
Alex_Mahone wrote
Due to government restrictions, social media platforms like Facebook and informational resources such as Wikipedia are inaccessible in our country. Consequently, all users resort to VPNs whenever they access the internet via mobile data or Wi-Fi networks.
If we were to implement ACL (Access Control Lists) as suggested, it would indeed restrict access to social media platforms and other websites for all users
I proposed that because your VPN uses that range.
Social media may not use other ports. The key is to allow the known ports because many services rely on them.
HTTPS would cover the whole web page access. You don't want VPN and block the known VPN ports and the rest of the unknown ports.
And did you try other ways? I am proposing ways to stop it bypassing via VPN. You don't seem to care about trying them.
VPN connects because these ports are allowed. Unrestricted. Here are ways to restrict them.
- Copy Link
- Report Inappropriate Content
Thank you again for your kind reply .
I believe the most effective approach is to utilize DPI (Deep Packet Inspection) and ACL (Access Control Lists) to prevent web authentication bypass using VPN. By blocking known VPN ports as suggested, VPN functionality will indeed be disabled during web authentication. However, after successful login, clients will be unable to utilize the VPN to access services such as Facebook, Wikipedia, and others that necessitate VPN access. Additionally, since it's impractical to inform each user about allowed and disallowed VPNs, this method does not provide a comprehensive solution. Since our government has blocked Facebook, we rely on VPNs to access the platform
- Copy Link
- Report Inappropriate Content
Hi @Alex_Mahone
Thanks for posting in our business forum.
Alex_Mahone wrote
Thank you again for your kind reply .
I believe the most effective approach is to utilize DPI (Deep Packet Inspection) and ACL (Access Control Lists) to prevent web authentication bypass using VPN. By blocking known VPN ports as suggested, VPN functionality will indeed be disabled during web authentication. However, after successful login, clients will be unable to utilize the VPN to access services such as Facebook, Wikipedia, and others that necessitate VPN access. Additionally, since it's impractical to inform each user about allowed and disallowed VPNs, this method does not provide a comprehensive solution. Since our government has blocked Facebook, we rely on VPNs to access the platform
Got your use scenario.
I have shared your situation with the test team and they'll dig into this issue.
- Copy Link
- Report Inappropriate Content
Hi @Alex_Mahone
Thanks for posting in our business forum.
Alex_Mahone wrote
As the Wi-Fi service provider, we've discovered a problem. Even though users should log in with a username and password, they can avoid this by using Psiphon VPN. This means they get internet access without logging in. It's bad for our business. We need to fix this fast.
I got a reply.
Is this an IPv6 VPN? Or do your client is on IPv6 IP? I require this detail. So far web authentication/portal does not process IPv6. IPv6 will bypass and this is expected at this current status.
Or has this client already passed the authentication? And you tried the VPN which led to a false alarm that the portal does not work properly?
You can reboot this router and reconfigure the portal and see if there is still an issue with the portal with VPN.
- Copy Link
- Report Inappropriate Content
Thank you again for your kind reply.
After resetting the ER7206 router to factory default settings and conducting additional tests, I did not create any user accounts for authentication on the ER7206. However, despite this, users can still circumvent the authentication process using Psiphon VPN. Additionally, the ER7206 gateway has not been configured for IPv6. I also shared with you my phone's VPN tunnel IP address, which successfully bypassed web authentication.
192.168.10.10 is the client that successfully passed the authentication using Psiphon VPN .
Best Regards!
- Copy Link
- Report Inappropriate Content
Hi @Alex_Mahone
Thanks for posting in our business forum.
Alex_Mahone wrote
Thank you again for your kind reply.
After resetting the ER7206 router to factory default settings and conducting additional tests, I did not create any user accounts for authentication on the ER7206. However, despite this, users can still circumvent the authentication process using Psiphon VPN. Additionally, the ER7206 gateway has not been configured for IPv6. I also shared with you my phone's VPN tunnel IP address, which successfully bypassed web authentication.
192.168.10.10 is the client that successfully passed the authentication using Psiphon VPN .
Best Regards!
Can you prepare a backup of your file? Is it okay for you to share it with us?
If it is okay for you, please reply to the email I created for you. You will see the ticket number in the next reply and you will also receive an email from us.
Note that if you are NOT okay to share the file with us, please inform me by either replying to one of the messages.
- Copy Link
- Report Inappropriate Content
Hi @Alex_Mahone
Thank you so much for taking the time to post the issue on TP-Link community!
To better assist you, I've created a support ticket via your registered email address, and escalated it to our support engineer to look into the issue. The ticket ID is TKID240348589, please check your email box and ensure the support email is well received. Thanks!
Once the issue is addressed or resolved, welcome to update this topic thread with your solution to help others who may encounter the same issue as you did.
Many thanks for your great cooperation and patience!
- Copy Link
- Report Inappropriate Content
Please check your inbox. I have already sent the router configuration backup file. The firmware version of the router is 1.4.1 Build 20240117 Rel.57421, and the hardware version is V1.0.
Best Regards!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2611
Replies: 20
Voters 0
No one has voted for it yet.