cancel
Showing results for 
Search instead for 
Did you mean: 
zo0m
Level 7
Report Inappropriate Content
Message 1 of 1

How to detect and block OpenVPN connections?

Good afternoon, we have a very critical problem - our proxy server skip OpenVPN connection, ie some sort of user / administrator in our corporate network can bring and install on your workplace OpenVPN client and freely connect to any OpenVPN server (for example, I take any test configuration with www.vpngate.net). When tracing see 1 request (where the proxy needs to authenticate) after this traffic, I no longer see a connection is successfully established. Blocking application does not work, there is simply no openVPN filters McAfee + application does not seem very determined), block by DomainURL, IP, Ports - not an option as the OpenVPN server, you can pick up on any other IP, Port, etc. It complicates the detection process itself OpenVpn OpenVPN technology:

* OpenVPN can tunnel through an HTTP proxy. can very easily make OpenVPN traffic appear just like SSL HTTPS traffic

* OpenVPN can use any TCP or UDP port number. What it will not do is change the application protocol to match what the traffic over that port should look like. For example, you raise the possibility that someone could use OpenVPN on the rsync port of 873. But that should be

immediately detectable when you see that someone is passing data over port 873 which is not recognizable as an rsync connection.

* The very fact that OpenVPN may use a 100% encrypted protocol is a marker in itself. If you have a firewall which blocks unrecognized application protocols, you will block OpenVPN.

Some say that the OpenVPN connection is established at a lower level (TUN/TAP) than those which employ conventional http proxy servers for inspections, but MWG is not an ordinary proxy?

The only more or less constant parameter of whiling away I found while looking for information on OpenVPN is the size of MSS / MTU is shorter than that of other types of traffic. Although you can change it if you want ... Can this parameter to configure the detection and blocking on my MWG?

i dont know mb MWG have deep packet inspection?

what are the ways to detect and block such traffic? how it can be done on mwg?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community