How to block VPN connections USG60W

Options
Hi, I'm new here. 

I have USG60W, all cool, but I have a big annoying problem with VPN clients because my users are using VPN client to bypass my Security Policies, Patrol and Content Filtering.

I got contact with ZYxel SUpport but they only send me the same that I already viewed around the web (Use Patrol to block VPN tunneling and Proxy) and block knowing VPN protocols.

I have that already configured on my USG60W, but I still use VPN clients to bypass my policies, and at this point I very anxious to find a solution.

I read is hard to block VPN in many devices (firewalls), so, I want to know a Success Case of you guys solving this problem.

For now, I have a BMW to assign only 30% of my bandwidth to that devices that can use VPN (Like Personal Phone that I can't manage), But is not enough for me.

Thank you guys in advance for any reply of this.

Stay safe, bye.

All Replies

  • PeterUK
    PeterUK Posts: 2,985  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    Options

    Depending on the VPN it can be hard to block.

    To start with you limit what services go from LAN to WAN like DNS (and limit to given DNS servers), HTTP and HTTPS

    If the clients use a VPN that HTTPS then its going to be next to impossible.

    If the clients use DNS to then connect to the the VPN you can use WILDCARD FQDN and block it but if they are smart and use a IP then you have to know the IP.


  • jasailafan
    jasailafan Posts: 193  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    You can follow the suggestions in this post to block regular VPN ports from LAN to WAN.
    AH(51), ESP(50), IKE(500), NATT(4500), PPTP(1723), PPTP tunnel(47), OpenVPN(1194)

  • mMontana
    mMontana Posts: 1,351  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    Options
    The suggestion for jasailafan is good, but it will block only well known ports.
    Are you aware of the "brand" of VPN that your users are using?

Security Highlight