How to block VPN connections USG60W

Hi, I'm new here. 

I have USG60W, all cool, but I have a big annoying problem with VPN clients because my users are using VPN client to bypass my Security Policies, Patrol and Content Filtering.

I got contact with ZYxel SUpport but they only send me the same that I already viewed around the web (Use Patrol to block VPN tunneling and Proxy) and block knowing VPN protocols.

I have that already configured on my USG60W, but I still use VPN clients to bypass my policies, and at this point I very anxious to find a solution.

I read is hard to block VPN in many devices (firewalls), so, I want to know a Success Case of you guys solving this problem.

For now, I have a BMW to assign only 30% of my bandwidth to that devices that can use VPN (Like Personal Phone that I can't manage), But is not enough for me.

Thank you guys in advance for any reply of this.

Stay safe, bye.

All Replies

  • PeterUK
    PeterUK Posts: 1,048  Guru Member

    Depending on the VPN it can be hard to block.

    To start with you limit what services go from LAN to WAN like DNS (and limit to given DNS servers), HTTP and HTTPS

    If the clients use a VPN that HTTPS then its going to be next to impossible.

    If the clients use DNS to then connect to the the VPN you can use WILDCARD FQDN and block it but if they are smart and use a IP then you have to know the IP.


  • jasailafan
    jasailafan Posts: 129  Ally Member
    You can follow the suggestions in this post to block regular VPN ports from LAN to WAN.
    AH(51), ESP(50), IKE(500), NATT(4500), PPTP(1723), PPTP tunnel(47), OpenVPN(1194)

  • mMontana
    mMontana Posts: 287  Master Member
    The suggestion for jasailafan is good, but it will block only well known ports.
    Are you aware of the "brand" of VPN that your users are using?

Security Highlight