How can I prevent bypassing web authentication with Psiphon VPN?

How can I prevent bypassing web authentication with Psiphon VPN?

How can I prevent bypassing web authentication with Psiphon VPN?
How can I prevent bypassing web authentication with Psiphon VPN?
2024-03-20 09:49:51 - last edited 2024-04-02 01:46:30
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: Firmware Version: 1.4.1 Build 20240117 Rel.57421

As the Wi-Fi service provider, we've discovered a problem. Even though users should log in with a username and password, they can avoid this by using Psiphon VPN. This means they get internet access without logging in. It's bad for our business. We need to fix this fast.

 

  0      
  0      
#1
Options
2 Accepted Solutions
Re:How can I prevent bypassing web authentication with Psiphon VPN?-Solution
2024-03-29 05:48:27 - last edited 2024-03-29 05:51:34

Hi @Alex_Mahone   @dariana_dev 

Thanks for posting in our business forum.

Alex_Mahone wrote

  @Clive_A 

 

Please check your inbox. I have already sent the router configuration backup file. The firmware version of the router is 1.4.1 Build 20240117 Rel.57421, and the hardware version is V1.0.

Best Regards!

Here's the reply, it is doable.

Due to the portal landing page being necessary to be accessed, TCP/UDP 53 is allowed. Psiphon will use 53 to establish the VPN tunnel with the server. Which will bypass the portal authentication.

 

For this issue, you can set up ACL to stop this unauthorized connection. The goal is to block TCP and UDP 53.

Create a service with TCP and UDP 53. SRC port = All. DST = TCP/UDP 53.

Direction = LAN -> WAN

SRC IP = portal subnet.

DST IP = Any.

 

In addition to making it more secure, you can also set up DHCP.

 

One Allow, one deny. First one is Allow DNS. Second one is blocking. Note that the first entry is set to be !DNS_server. You also need to create this IP group in your Preference settings to specify your DNS server.

 

Pictures were zipped during the conversation. Yet, still readable.

 

BTW, it does not affect the afterwards connection. VPN still can function.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#13
Options
Re:How can I prevent bypassing web authentication with Psiphon VPN?-Solution
2024-07-05 01:16:21 - last edited 2024-07-08 01:15:31

Hi  @LADCRUST 

LADCRUST wrote

  @Clive_A  Hi , I'm facing a problem with Psiphon users hacking into my captive portal hotspot, and using my data. Could you please help me on how I can block Psiphon and other VPNS? I appreciate any help you can provide.
Kind regards.

How to Configure ACL to Block Unauthorized VPN Clients Bypassing the Portal

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#17
Options
20 Reply
Re:How can I prevent bypassing web authentication with Psiphon VPN?
2024-03-21 03:00:04 - last edited 2024-03-21 03:00:21

Hi @Alex_Mahone 

Thanks for posting in our business forum.

I have some ideas for this.

1. DPI

2. IDS

3. ACL

 

DPIa and IDS can be configured to avoid activities like this VPN. You can take a look at them and see if you can make it block with them. If they don't work, I think we need ACL.

 

So, it is using a certain range of ports. You can block from 10000 to 65543. However, this might damage certain apps when they browse through the Internet. If your web authentication is used for web browsing and messages, that should be okay.

 

Service Type is the place where you define the port range.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:How can I prevent bypassing web authentication with Psiphon VPN?
2024-03-21 03:38:41

  @Clive_A 

Due to government restrictions, social media platforms like Facebook and informational resources such as Wikipedia are inaccessible in our country. Consequently, all users resort to VPNs whenever they access the internet via mobile data or Wi-Fi networks.
If we were to implement ACL (Access Control Lists) as suggested, it would indeed restrict access to social media platforms and other websites for all users

  0  
  0  
#3
Options
Re:How can I prevent bypassing web authentication with Psiphon VPN?
2024-03-21 06:58:46

Hi @Alex_Mahone 

Thanks for posting in our business forum.

Alex_Mahone wrote

  @Clive_A 

Due to government restrictions, social media platforms like Facebook and informational resources such as Wikipedia are inaccessible in our country. Consequently, all users resort to VPNs whenever they access the internet via mobile data or Wi-Fi networks.
If we were to implement ACL (Access Control Lists) as suggested, it would indeed restrict access to social media platforms and other websites for all users

I proposed that because your VPN uses that range.

Social media may not use other ports. The key is to allow the known ports because many services rely on them.

HTTPS would cover the whole web page access. You don't want VPN and block the known VPN ports and the rest of the unknown ports.

 

And did you try other ways? I am proposing ways to stop it bypassing via VPN. You don't seem to care about trying them.

VPN connects because these ports are allowed. Unrestricted. Here are ways to restrict them.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#4
Options
Re:How can I prevent bypassing web authentication with Psiphon VPN?
2024-03-21 07:56:26

  @Clive_A 

Thank you again for your kind reply .

 

I believe the most effective approach is to utilize DPI (Deep Packet Inspection) and ACL (Access Control Lists) to prevent web authentication bypass using VPN. By blocking known VPN ports as suggested, VPN functionality will indeed be disabled during web authentication. However, after successful login, clients will be unable to utilize the VPN to access services such as Facebook, Wikipedia, and others that necessitate VPN access. Additionally, since it's impractical to inform each user about allowed and disallowed VPNs, this method does not provide a comprehensive solution. Since our government has blocked Facebook, we rely on VPNs to access the platform

 

  1  
  1  
#5
Options
Re:How can I prevent bypassing web authentication with Psiphon VPN?
2024-03-22 01:06:33

Hi @Alex_Mahone 

Thanks for posting in our business forum.

Alex_Mahone wrote

  @Clive_A 

Thank you again for your kind reply .

 

I believe the most effective approach is to utilize DPI (Deep Packet Inspection) and ACL (Access Control Lists) to prevent web authentication bypass using VPN. By blocking known VPN ports as suggested, VPN functionality will indeed be disabled during web authentication. However, after successful login, clients will be unable to utilize the VPN to access services such as Facebook, Wikipedia, and others that necessitate VPN access. Additionally, since it's impractical to inform each user about allowed and disallowed VPNs, this method does not provide a comprehensive solution. Since our government has blocked Facebook, we rely on VPNs to access the platform

 

Got your use scenario.
I have shared your situation with the test team and they'll dig into this issue.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#6
Options
Re:How can I prevent bypassing web authentication with Psiphon VPN?
2024-03-22 03:53:04 - last edited 2024-03-22 06:49:38

Hi @Alex_Mahone 

Thanks for posting in our business forum.

Alex_Mahone wrote

As the Wi-Fi service provider, we've discovered a problem. Even though users should log in with a username and password, they can avoid this by using Psiphon VPN. This means they get internet access without logging in. It's bad for our business. We need to fix this fast.

 

I got a reply.

Is this an IPv6 VPN? Or do your client is on IPv6 IP? I require this detail. So far web authentication/portal does not process IPv6. IPv6 will bypass and this is expected at this current status.

Or has this client already passed the authentication? And you tried the VPN which led to a false alarm that the portal does not work properly?

 

You can reboot this router and reconfigure the portal and see if there is still an issue with the portal with VPN.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#7
Options
Re:How can I prevent bypassing web authentication with Psiphon VPN?
2024-03-22 06:51:30

  @Clive_A 

Thank you again for your kind reply.

 

After resetting the ER7206 router to factory default settings and conducting additional tests, I did not create any user accounts for authentication on the ER7206. However, despite this, users can still circumvent the authentication process using Psiphon VPN. Additionally, the ER7206 gateway has not been configured for IPv6. I also shared with you my phone's VPN tunnel IP address, which successfully bypassed web authentication.

 

  

 

 

192.168.10.10 is the client that successfully passed the authentication using Psiphon VPN .

 

Best Regards!

  0  
  0  
#8
Options
Re:How can I prevent bypassing web authentication with Psiphon VPN?
2024-03-25 09:20:28

Hi @Alex_Mahone 

Thanks for posting in our business forum.

Alex_Mahone wrote

  @Clive_A 

Thank you again for your kind reply.

 

After resetting the ER7206 router to factory default settings and conducting additional tests, I did not create any user accounts for authentication on the ER7206. However, despite this, users can still circumvent the authentication process using Psiphon VPN. Additionally, the ER7206 gateway has not been configured for IPv6. I also shared with you my phone's VPN tunnel IP address, which successfully bypassed web authentication.

 

 

 

 

 

 

192.168.10.10 is the client that successfully passed the authentication using Psiphon VPN .

 

Best Regards!

Can you prepare a backup of your file? Is it okay for you to share it with us?

If it is okay for you, please reply to the email I created for you. You will see the ticket number in the next reply and you will also receive an email from us.

Note that if you are NOT okay to share the file with us, please inform me by either replying to one of the messages.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#9
Options
Re:How can I prevent bypassing web authentication with Psiphon VPN?
2024-03-25 09:25:42

Hi @Alex_Mahone 

Thank you so much for taking the time to post the issue on TP-Link community!

To better assist you, I've created a support ticket via your registered email address, and escalated it to our support engineer to look into the issue. The ticket ID is TKID240348589, please check your email box and ensure the support email is well received. Thanks!

Once the issue is addressed or resolved, welcome to update this topic thread with your solution to help others who may encounter the same issue as you did.

Many thanks for your great cooperation and patience!

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#10
Options
Re:How can I prevent bypassing web authentication with Psiphon VPN?
2024-03-27 03:55:23

  @Clive_A 

 

Please check your inbox. I have already sent the router configuration backup file. The firmware version of the router is 1.4.1 Build 20240117 Rel.57421, and the hardware version is V1.0.

Best Regards!

  0  
  0  
#11
Options