Block ProtonVPN

adam:ONE® pfSense
1

Hi!

Is there any list/rule subscription to explicitly block ProtonVPN?

The students are already on the Zero Trust Policy but ProtonVPN is still smiling.

2

Hey @edanpedragosa looking at https://api.protonmail.ch/vpn/logicals it appears they are using protonvpn.net as the root domain for all their servers, so adding that to a block list with sub-domains included option enabled, that should block all the servers,

3

Yes, I’ve done that but it can still smile with no problem.

image

The only thing that worked for now is the old whack a mole thing to block the following IP/CIDR:

image
image792×801 33.3 KB

I may be blocking too much right now but at least it has stopped some from smiling at us until new moles has popped up.

I hope you can have a list subscription like PSIPHON for ProtonVPN, NordVPN, ExpressVPN, et cetera.

4

@edanpedragosa you will want to review your enablers and allow rules because outside of the domain @atw mentions above, the only attempts are direct-by-IP, which DTTS® will block for you. If connections are successful, it means one or more of your Enablers or Rules are permitting the connection.

5

Yes David, you were right. Sorry for my nonsense noise…

Disabling the following rule, makes protonvpn frown.

image
image1263×104 7.62 KB

Now the issue is on how to make the messaging apps work again.
Voice and Video calls does not work with that disabled.

Do you have any suggestion to allow messaging apps to work again.

For now, at least the following:

  • LINE App - from line.me
  • Facebook Messenger (not all of facebook)
  • WeChat
  • WhatsApp
6

Investigating on it more on my part of the globe, it is trying to check and connect to the following ports:

  • 80
  • 443
  • 500 ipsec
  • 1194 openvpn
  • 1224 vpnz
  • 4500 ipsec
  • 4569
  • 4600 pirnha1
  • 5060 sip
  • 7770-7800
  • 8443
  • 51820 wireguard

So I limited the opened UDP port range to not include those ports for now to at least allow where those messaging apps usually connects.

7

Thanks for letting us know. In short, what I’d recommend is you build dashboard-based enablers for the services you do need. Telegram and WhatsApp are already official enablers, but we don’t recommend or use WeChat, so we’ve never created an official one, but if you want to start a support session, we’ll help you build one. Same with Facebook Messenger.

8

@David

I now use dashboard-based enablers and it is working great as usual.

dashboard-based enablers are very helpful with an added benefit of being able to enable it to only selected policies.

Kudos to the team!

1 Like