Hi @Alex_Mahone 

Thanks for posting in our business forum.

I have some ideas for this.

1. DPI

2. IDS

3. ACL

DPIa and IDS can be configured to avoid activities like this VPN. You can take a look at them and see if you can make it block with them. If they don't work, I think we need ACL.

So, it is using a certain range of ports. You can block from 10000 to 65543. However, this might damage certain apps when they browse through the Internet. If your web authentication is used for web browsing and messages, that should be okay.

Service Type is the place where you define the port range.

Hi @Alex_Mahone 

Thanks for posting in our business forum.

Alex_Mahone wrote

  @Clive_A 

Due to government restrictions, social media platforms like Facebook and informational resources such as Wikipedia are inaccessible in our country. Consequently, all users resort to VPNs whenever they access the internet via mobile data or Wi-Fi networks.
If we were to implement ACL (Access Control Lists) as suggested, it would indeed restrict access to social media platforms and other websites for all users

I proposed that because your VPN uses that range.

Social media may not use other ports. The key is to allow the known ports because many services rely on them.

HTTPS would cover the whole web page access. You don't want VPN and block the known VPN ports and the rest of the unknown ports.

And did you try other ways? I am proposing ways to stop it bypassing via VPN. You don't seem to care about trying them.

VPN connects because these ports are allowed. Unrestricted. Here are ways to restrict them.

Hi @Alex_Mahone 

Thanks for posting in our business forum.

Alex_Mahone wrote

  @Clive_A 

Thank you again for your kind reply .

 

I believe the most effective approach is to utilize DPI (Deep Packet Inspection) and ACL (Access Control Lists) to prevent web authentication bypass using VPN. By blocking known VPN ports as suggested, VPN functionality will indeed be disabled during web authentication. However, after successful login, clients will be unable to utilize the VPN to access services such as Facebook, Wikipedia, and others that necessitate VPN access. Additionally, since it's impractical to inform each user about allowed and disallowed VPNs, this method does not provide a comprehensive solution. Since our government has blocked Facebook, we rely on VPNs to access the platform

 

Got your use scenario.
I have shared your situation with the test team and they'll dig into this issue.

Hi @Alex_Mahone 

Thanks for posting in our business forum.

Alex_Mahone wrote

As the Wi-Fi service provider, we've discovered a problem. Even though users should log in with a username and password, they can avoid this by using Psiphon VPN. This means they get internet access without logging in. It's bad for our business. We need to fix this fast.

 

I got a reply.

Is this an IPv6 VPN? Or do your client is on IPv6 IP? I require this detail. So far web authentication/portal does not process IPv6. IPv6 will bypass and this is expected at this current status.

Or has this client already passed the authentication? And you tried the VPN which led to a false alarm that the portal does not work properly?

You can reboot this router and reconfigure the portal and see if there is still an issue with the portal with VPN.

Hi @Alex_Mahone 

Thanks for posting in our business forum.

Alex_Mahone wrote

  @Clive_A 

Thank you again for your kind reply.

 

After resetting the ER7206 router to factory default settings and conducting additional tests, I did not create any user accounts for authentication on the ER7206. However, despite this, users can still circumvent the authentication process using Psiphon VPN. Additionally, the ER7206 gateway has not been configured for IPv6. I also shared with you my phone's VPN tunnel IP address, which successfully bypassed web authentication.

 

 

 

 

 

 

192.168.10.10 is the client that successfully passed the authentication using Psiphon VPN .

 

Best Regards!

Can you prepare a backup of your file? Is it okay for you to share it with us?

If it is okay for you, please reply to the email I created for you. You will see the ticket number in the next reply and you will also receive an email from us.

Note that if you are NOT okay to share the file with us, please inform me by either replying to one of the messages.

Hi @Alex_Mahone 

Thank you so much for taking the time to post the issue on TP-Link community!

To better assist you, I've created a support ticket via your registered email address, and escalated it to our support engineer to look into the issue. The ticket ID is TKID240348589, please check your email box and ensure the support email is well received. Thanks!

Once the issue is addressed or resolved, welcome to update this topic thread with your solution to help others who may encounter the same issue as you did.

Many thanks for your great cooperation and patience!