Is there any way to block VPN clients through the home router? Any ports?How would I go about doing that?
Almost all routers let you login to them. Once logged in almost all routers have the ability to allow/disallow different types of VPN passthrough. Just look for that (or google it based on the type of router you have) and block the types of VPN you want to block.
You might get yelled at for asking a non-enterprise networking question here, but not by me.
There’s a lot of different kinds of VPN, so it depends what exactly you’re trying to accomplish.
An SSL-based VPN is going to be almost impossible to block – it uses port 443 TCP (HTTPS) and in some cases DTLS (which has no specific port), so to your router, it will basically just look like secured web traffic. You would need a transparent proxy that will terminate the SSL tunnel on itself and do inspection on the traffic after decrypting it.
PPTP (what RRAS in Windows Server uses typically) is port 1723 TCP. It also uses GRE (IP Protocol 47), but I doubt that your home router would allow you to specify anything but TCP or UDP ports, so you probably can’t block GRE.
Any IPSec related VPN (direct encapsulation, IPSec/L2TP, or IPSec/GRE) will rely on the Internet Key Exchange protocol, which is port 500 UDP. IPSec itself uses port 4500 UDP and IP Protocol 50 (Encapsulated Security Payload – which again, you probably can’t block, but if IKE doesn’t happen, the tunnel won’t come up).
You’re never going to block them all, look at the gateway tunneling provided by the Tor community or SSH port forwarding, or TCP over DNS. Perhaps it would be better for you to tell us what you’re trying to stop getting through the various or talking to the people you’re trying to block?
Which Type of VPN,Routers? If you’re speaking of consumer routers some of them you have to implicitly turn on IPSEC passthrough. PPTP is another story.
for ipsec vpns the IP protocol number for esp is 50 and ah is 51. IKE used to setup ipsec vpns usually uses udp ports 500 or 4500 depending on the NAT situation.
you just need some basic firewall rules to drop packets with these parameters. Now for SSL vpn traffic i’m not really sure. I know openvpn defaults to udp 1149 (or something like that).
That’s really helpful. Thanks for taking the time to type this out, I just blocked all of these ports but a VPN client named Tunnel Bear (www.tunnelbear.com) still appears to be working and loading websites.
You’re right, at least I learned some new things out of this.
I’m using an ASUS RT N56U. Trying to block a VPN client named Tunnel Bear (www.tunnelbear.com) from working. Blocked a lot of different ports but TunnelBear still works.
Blocking OpenVPN and going to test it out. Right now I’m testing Tunnel Bear (www.tunnelbear.com) to see if it can be blocked, so far blocking the ports mentioned by others here hasn’t worked.
Thanks for your interest in posting to this subreddit. To combat spam, new accounts can’t post or comment within 24 hours of account creation.
Please DO NOT message the mods requesting your post be approved.
You are welcome to resubmit your thread or comment in ~24 hrs or so.
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
Some quick searching around seems to point to TunnelBear being a form of an SSL VPN.
Unfortunately, you probably won’t be able to block this with any consumer router since it just looks like web traffic.
sorry, misspoke. openvpn uses 1194.
What about Hotspot Shield?
Here’s a screenshot of some of the ports I’ve blocked so far (not sure if I’m doing it properly) http://i.imgur.com/ju27I.png?1.
OpenVPN uses whatever port you want. Mines set to 443.
Thanks, I decided not to do it because all of the VPN’s can’t be blocked.
One thing … you’re blocking port 47 … that “47” I mentioned is IP Protocol 47. It’s totally separate from TCP or UDP (in fact, it replaces those in the network stack).
Hotspot Shield is also SSL/HTTPS based.
hence the use of the word default.
Okay, thanks for letting me know. Apparently I can only block TCP/UDP, not IP protocol ports.
Looks like I’ll need to just forget about trying to block VPN access then.