Hi!
Do you have a list subscription to block Browsec VPN extension?
Students are also using this to bypass filtering.
I was able to block it by adding the following to a block list:
trafcfy.com
browsec.com
postlm.com
postls.com
But an official list, including other VPN bypass tools, from Adam:ONE is most welcome.
Thanks!
Aside from Browsec VPN, the following browser extensions are also bypassing adam:one
touchvpn.net
blaze vpn
snap vpn
ultrasurf
freevpnplanet.com
VPN Proxy VeePN
Anyway to stop those from connecting?
Browsec uses IPSec/IKEv2 protocol for mobile app connections (block egress on ports 500 & 4500), while the browser extensions use a TLS HTTP Proxy.
I’d start with blocking SCALAXY-AS (58061), specifically
5.45.72.0/24, (.futmail.com, il-maybe.keenineer.com)
5.61.50.0/24,
5.63.159.0/24; (.cloudvps.regruhosting.ru)
HETZNER-CLOUD3-AS (212317)
5.78.65.0/24 (.clients.your-server.de)
TIMEWEB-AS (9123)
176.53.163.214 (.tmweb.ru)
81.200.145.153 (*.tw1.ru)
DIGITALOCEAN-ASN (14061)
159.65.200.56
LANTELECOM-AS (31633)
91.192.128.102 (span.lan-telecom.net)
And
23.106.56.0/24
These are cloud-housed endpoints, so you “could” accidentally block something, but I doubt it. Also, this is just what I can dig up real quick. Depending on your location, I would limit traffic “off- continent” if possible.
If you mange the devices, I would block the extension using policy.
By no means a “complete” answer, but if it helps…
*.brwsc.org
openvpn.browsec.com
*.postls.com
*.postlm.com (s.postlm.com)
*.lunrac.com
Results: 10 Time: 26.02s
CN=*.brwsc.org, C=EU, O=Browsec LLC, OU=MongoDB
Browsec CA
2019-09-09 — 2029-09-06
*.brwsc.org
CN=*.brwsc.org, C=EU, O=Browsec LLC, OU=mongo1
Browsec CA
2019-10-04 — 2029-10-01
*.brwsc.org
Browsec
2020-10-29 — 2030-10-27
openvpn.browsec.com
C=RU, ST=Novosibirsk Oblast, L=Novosibirsk, O=Browsec LLC, CN=postls.com
StartCom Class 3 OV Server CA
2016-06-30 — 2019-06-30
*.postls.com, postls.com
C=RU, ST=Novosibirsk Oblast, L=Novosibirsk, O=Browsec LLC, CN=s.postlm.com
StartCom Class 3 OV Server CA
2016-07-01 — 2019-07-01
*.postlm.com, s.postlm.com
C=RU, ST=Novosibirsk Oblast, L=Novosibirsk, O=Browsec LLC, CN=s.postls.com
StartCom Class 3 OV Server CA
2016-07-01 — 2019-07-01
*.postls.com, s.postls.com
C=RU, ST=Novosibirsk Oblast, L=Novosibirsk, O=Browsec LLC, CN=postlm.com
StartCom Class 3 OV Server CA
2016-06-30 — 2019-06-30
*.postlm.com, postlm.com
C=RU, ST=Novosibirsk Oblast, L=Novosibirsk, O=Browsec LLC, CN=lunrac.com
StartCom Class 3 OV Server CA
2016-01-20 — 2019-01-20
*.lunrac.com, lunrac.com, www.lunrac.com
C=RU, ST=Novosibirsk Oblast, L=Novosibirsk, O=Browsec LLC, CN=postlm.com
StartCom Class 3 OV Server CA
2016-07-01 — 2019-07-01
*.postlm.com, postlm.com
C=RU, ST=Novosibirsk Oblast, L=Novosibirsk, O=Browsec LLC, CN=postls.com
StartCom Class 3 OV Server CA
2016-07-01 — 2019-07-01
*.postls.com, postls.com
Great info there @Douglas_C
@edanpedragosa are you using DTTS? As it should block most VPNs de-facto. If you don’t then you’d have to create custom firewall rules in your router OS to block the endpoints along with ensuring they don’t make it on your adam:ONE policies which is pretty easy with whitelists but on a default allow policy you might want to add them to a blacklist just to be safe.
Yes, I did all those already to block Browsec.
There are other tools still that needs blocking, e.g.:
touchvpn.net
blaze vpn
snap vpn
ultrasurf
freevpnplanet.com
VPN Proxy VeePN
I already have set policies for our managed devices but devices we don’t control are still jumping for joy.
I hope Adam:ONE can provide an official block list that we can subscribe to stop the joy of those unblock tools from the gateway filter itself. I know they can make one, they’re the experts.
@atw: are you using DTTS? As it should block most VPNs de-facto.
atw’s recommendation is to use DTTS – something I agree with. Squashing every VPN/app that pops up would have to be someone’s full time job.While I don’t work for them, I’m assuming this is probably outside the scope of the product.
DTTS is available at the “Business” subscription level (Get adam:ONE® | ADAMnetworks) at a $80 price point – plus the $800(!) onboarding package (although I don’t know how it works if you’re an existing customer – would be nice to know).
If these are not viable options for you, the only other thing I can think to recommend is to use a transparent proxy with SSL intercept and deep packet inspection. Which, again, is outside of the scope I believe.
If you have any more questions, I’ll try to help as best I can
I assumed the coloring was for emphasis, so try this:
80.254.112.116 (116.112.254.80.donpac.ru)
ROSTOV-TELEGRAF-AS PJSC Rostelecom Rostov-na-Dony (21479) Rostov, Russia
64.227.26.40
DIGITALOCEAN-ASN (14061) New Jersey, United States
161.35.54.85
DIGITALOCEAN-ASN (14061) New Jersey, United States
18.236.83.7 (ec2-18-236-83-7.us-west-2.compute.amazonaws.com)
AMAZON-02 (16509) Oregon, United States
154.53.45.244 (host.contabo.net)
CONTABO (40021) Missouri, United States
162.14.208.141
TENCENT-NET-AP Shenzhen Tencent Computer Systems Company Limited (45090) Beijing, China
50.116.54.157 (ip-50-116-54-157.cloudezapp.io)
AKAMAI-AP Akamai Technologies, Inc. (63949) New Jersey, United States
78.46.78.226 (tvoirecepty.ru)
HETZNER-AS (24940) North Rhine-Westphalia, Germany
112.121.100.249 (landscape.ics.com.tw)
DIGICENTRE-TW DigiCentre Company Limited (7532) Taiwan, Taiwan
2001:0DF1:7800:0002:0000:0000:0007:603A
CRI-AS-AP CV. Rumahweb Indonesia (58487) Jakarta, Indonesia
5.78.65.239 (static.239.65.78.5.clients.your-server.de)
HETZNER-CLOUD3-AS (212317) Oregon, United States
as well as
CN=167.71.19.131
OpenVPN Web CA 2021.11.08 07:58:46 UTC veepn
2021-11-07 — 2022-11-08
**167.71.19.131**
CN=cnazure-veepn-dr
cnazure-veepn-dr
2017-09-09 — 2027-09-07
cnazure-veepn-dr, cnazure-veepn-dr.yhcaldgdn0pethkpvt2o0it4jb.ex.internal.cloudapp.net
You can also always use Wireshark(https://www.wireshark.org) to discover what these extensions are connecting to, or audit the firewall logs. But you’ll quickly discover what a Sisyphean task this is.
You could try to stack NextDNS with your current resolvers using DNSHarmony. NextDNS has a category to block VPN/bypass methods, but I’m not sure how exhaustive it is. You would need to disable the NextDNS block page in its settings (they return 0.0.0.0 instead of NXDOMAIN), and setup it up as custom resolver in ADAM:one (My Dashboard).
Yes we are using DTTS and those browser extensions still find its way out.
Browsec is already blocked.
The following is still finding their way out:
touchvpn.net
blaze vpn
snap vpn
ultrasurf
freevpnplanet.com
VPN Proxy VeePN
The coloring tag is automatically done by this site depending probably on keywords.
As for:
“probably outside the scope of the product.”
It should be within their scope as a content filtering product, we subscribed to this service because it can block PSIPHON. That is why if possible, I’m requesting for an official Adam:ONE released block list rule that we can just turn on from our dashboards.
I’ve been doing a whack-a-mole thing prior to Adam:ONE subscription so I’m comfortable to say that the experts at Adam:ONE can soon come up with a solution.
From the main page (Products->adam:one elements):
“Don’t Talk to Strangers (DTTS)®
Trap your attackers. Shut them down WITHOUT the need of detection.
(European, US and Canadian patents 2020).
Zero Trust Egress control that denies all outbound IP connections unless verified by an approved DNS lookup. This bullet proofs DNS based filtering to prevent circumvention by direct IP connections; advanced circumvention tools like Psiphon / TOR; or systemic failure of DNS based filtering by VPNs, DoH and DoT.
The net result is preventing all C2 malware that use direct outbound connections as part of the attack vector from executing. As well as providing immunity against data extortion by preventing exfiltration of data from the protected network.”
I freely admit I thought this was a core feature of the product suite, turns out it’s not. I would consider this a fancy firewall that does sort of have an identity crisis. However, I’m sure that any alternative from rivals coughCiscocough are out of this world expensive.
experts at Adam:ONE can soon come up with a solution.
They have: DTTS
It was, quite frankly, luck to get the DoH list released to base subscribers. But it you take a look at what it is – it’s just a forwarding list. Therefore, someone played 'whack-a-mole" for us. Dollars to donuts this list isn’t the same as the “Tier 1” maintained for MSP providers, as I believe those lists are prefixed with “MSS |”
If this isn’t something you can afford, maybe look here: Transparent proxy
Or, hopefully, they can hook you up with an MSP
As I’ve mentioned previously, we are already using DTTS and are also subscribed to MSS.
That is the very reason we subscribed to Adam:ONE, so someone can play ‘whack-a-mole’ for us and all we need to do is to turn on a switch to apply the new rule.
Are you running on Blacklisting policies?
If so, then the “whack-a-mole” game is still going.
Whitelisting is essential if you want to block VPNs, as some are now using domain names as well as IP addresses to connect, which makes the Blacklisting policies flawed.
We are not ready yet for Zero Trust.
I tried but was receiving too many unblock requests.
@Victor is correct. Blocking VPNs using a blacklist is not guaranteed. Neither does Adam networks offer any kind of guarantee for such.
A Whitelist policy is the only effective way to achieve what you’re after.
Thanks I’ll add this to my block lists.
