0 Replies Latest reply on Dec 4, 2016 8:28 AM by zo0m

    How to detect and block OpenVPN connections?

    zo0m

      Good afternoon, we have a very critical problem - our proxy server skip OpenVPN connection, ie some sort of user / administrator in our corporate network can bring and install on your workplace OpenVPN client and freely connect to any OpenVPN server (for example, I take any test configuration with www.vpngate.net). When tracing see 1 request (where the proxy needs to authenticate) after this traffic, I no longer see a connection is successfully established. Blocking application does not work, there is simply no openVPN filters McAfee + application does not seem very determined), block by DomainURL, IP, Ports - not an option as the OpenVPN server, you can pick up on any other IP, Port, etc. It complicates the detection process itself OpenVpn OpenVPN technology:

       

      * OpenVPN can tunnel through an HTTP proxy. can very easily make OpenVPN traffic appear just like SSL HTTPS traffic

      * OpenVPN can use any TCP or UDP port number. What it will not do is change the application protocol to match what the traffic over that port should look like. For example, you raise the possibility that someone could use OpenVPN on the rsync port of 873. But that should be

      immediately detectable when you see that someone is passing data over port 873 which is not recognizable as an rsync connection.

      * The very fact that OpenVPN may use a 100% encrypted protocol is a marker in itself. If you have a firewall which blocks unrecognized application protocols, you will block OpenVPN.

      Some say that the OpenVPN connection is established at a lower level (TUN/TAP) than those which employ conventional http proxy servers for inspections, but MWG is not an ordinary proxy?

      The only more or less constant parameter of whiling away I found while looking for information on OpenVPN is the size of MSS / MTU is shorter than that of other types of traffic. Although you can change it if you want ... Can this parameter to configure the detection and blocking on my MWG?

      i dont know mb MWG have deep packet inspection?

      what are the ways to detect and block such traffic? how it can be done on mwg?