It's not going to be possible to block all VPNs. If the users are smart and they have their own Internet connection at home then they can setup a SOCKS vpn proxy server on a PC on their home network then use dynamic dns with their home PC. If you discover the traffic they can just reboot their home cable modem or whatever and get a fresh IP or change the listening port.
You really can only block the commercial or popular VPN servers out there to prevent the users who don't understand networking and are the point-and-click types from accessing the commercial services. And most organizations that do this have found it a lot easier to just pay a commercial firewall provider like Palo Alto to maintain the block lists for them. You can start here: https://unit42.paloaltonetworks.com/person-vpn-network-visibility/ Keep in mind that many of the commercial firewall providers play both sides against each other. For example, Fortinet sells both firewalls designed to block VPNs, and on the same firewall that you can configure to block vpn's from your internal network that are going out to VPN providers, you can set that same firewall device up to provide "crypto vpns" to your users that are designed to evade other people's firewalls (if your users are remoting in from someone else's network. The irony is rather amusing. The only way I've ever seen true blocking work is when a company has a policy that prohibits most employees with the exception of permitted ones from accessing the Internet completely. That is, no web browsing, no zoom, no nothing. And, that is VERY appropriate for certain classes of employees. A checker in a grocery store has no need to be able to surf the web from their cash register that is running on a PC, for example. So you list all the Ips of those registers in your firewall for complete outbound blocks. But, if you do that all your good employees who are NOT abusing your internet service are going to quit on you and the bad apples who are using it for gaming, watching porn, and so on on company time will just bring their cell phones into the office and use cell carriers for Internet connection on personal cell phones and waste their time that way. You cannot cover up CEO timidity on managing their people with technology. You will just piss off the good eggs who will say "I don't need this shit" and quit on you, leaving the bad eggs who nobody else will hire and you are unwilling to fire because you are scared of them. And if you block the bad eggs from wasting time on the Internet they will find plenty of other ways to waste time. Putting IT as the opponent to users never works. Users just quit going to IT with their problems and find other solutions (like personal VPNs) which most of the time cause more problems. It may seem counterintuitive but the most productive companies out there unblock everything, have everyone sign AUPs that prohibit obvious crap like online gaming, porn, online gambling, personal shopping (except during lunch hour) and in general treat employees like adults and trust them and make it clear that there is safe harbor for any employee who reports another employee violating that trust. (for any reason) The only exceptions to this are certain kinds of transactions (such as cash handling) and the fact is the good eggs WANT IT monitoring that sort of thing just to protect themselves from being accused of theft, etc. One of the biggest problems in HR today is HR departments being forced by the executive board to cover up malfeasance by managers, directors, and members of the C suite. Stories of "secretary banging the boss and was reported to HR and they fired the person reporting it" are legion and are the quickest way to ruining your corporate culture and losing your talent. A CEO absolutely needs to shut this sort of behavior down in their corporate culture. One of the largest markets for firewall companies that make VPN blockers are schools, particularly high schools. That's because you have an organization that by default pits the students against the administration. The last thing any company owner should want is to seek to duplicate that kind of environment in their company. Ted -----Original Message----- From: PLUG <[email protected]> On Behalf Of Ishak Micheil Sent: Tuesday, April 18, 2023 8:38 AM To: Portland Linux/Unix Group <[email protected]> Subject: [PLUG] 3rd party vpn Defense evasion Greetings, I am tasked to identify a solution to detecting users obfuscating their ip, using verity of VPN services. What we've done - Prevent users from installing software (VPN Cliens) - Possibly having a code on endpoints, to collect ip addresses tied to wifi or LAN connection prior to attaching to VPN service, any other ideas?
