Business Community > Routers > How can I prevent bypassing web authentication with Psiphon VPN?
< Routers

How can I prevent bypassing web authentication with Psiphon VPN?

12

How can I prevent bypassing web authentication with Psiphon VPN?

20 Reply
Re:How can I prevent bypassing web authentication with Psiphon VPN?
2024-03-27 09:48:40

  @Alex_Mahone 

 

Tried same setup with my er605v2+eap-115 and results were same. Exclamation mark on WiFi icon indicating no internet connection but surfing web normally with psiphon pro running in background. Will conduct more tests later. Tried same thing with few public hotspots that require you to log-in (mikrotik,ubiquiti) and all of them exhibit same problem.  Interesting....

  0  
  0  
#12
Options
Re:How can I prevent bypassing web authentication with Psiphon VPN?-Solution
2024-03-29 05:48:27 - last edited 2024-03-29 05:51:34

Hi @Alex_Mahone   @dariana_dev 

Thanks for posting in our business forum.

Alex_Mahone wrote

  @Clive_A 

 

Please check your inbox. I have already sent the router configuration backup file. The firmware version of the router is 1.4.1 Build 20240117 Rel.57421, and the hardware version is V1.0.

Best Regards!

Here's the reply, it is doable.

Due to the portal landing page being necessary to be accessed, TCP/UDP 53 is allowed. Psiphon will use 53 to establish the VPN tunnel with the server. Which will bypass the portal authentication.

 

For this issue, you can set up ACL to stop this unauthorized connection. The goal is to block TCP and UDP 53.

Create a service with TCP and UDP 53. SRC port = All. DST = TCP/UDP 53.

Direction = LAN -> WAN

SRC IP = portal subnet.

DST IP = Any.

 

In addition to making it more secure, you can also set up DHCP.

 

One Allow, one deny. First one is Allow DNS. Second one is blocking. Note that the first entry is set to be !DNS_server. You also need to create this IP group in your Preference settings to specify your DNS server.

 

Pictures were zipped during the conversation. Yet, still readable.

 

BTW, it does not affect the afterwards connection. VPN still can function.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#13
Options
Re:How can I prevent bypassing web authentication with Psiphon VPN?
2024-04-01 13:18:32

  @Clive_A 

It worked properly. Thank you for your helpful approach in fixing this issue. Your solution is incredibly valuable and truly appreciated. Thanks again.

Best Regards!

  1  
  1  
#14
Options
Re:How can I prevent bypassing web authentication with Psiphon VPN?
2024-07-04 17:35:40

  @Clive_A  hi, im facing the same challenge, could you pleaseshare with me the same information (HD pics) 

  0  
  0  
#15
Options
Re:How can I prevent bypassing web authentication with Psiphon VPN?
2024-07-04 17:41:51

  @Clive_A  Hi , I'm facing a problem with Psiphon users hacking into my captive portal hotspot, and using my data. Could you please help me on how I can block Psiphon and other VPNS? I appreciate any help you can provide.
Kind regards.

  0  
  0  
#16
Options
Re:How can I prevent bypassing web authentication with Psiphon VPN?-Solution
2024-07-05 01:16:21 - last edited 2024-07-08 01:15:31

Hi  @LADCRUST 

LADCRUST wrote

  @Clive_A  Hi , I'm facing a problem with Psiphon users hacking into my captive portal hotspot, and using my data. Could you please help me on how I can block Psiphon and other VPNS? I appreciate any help you can provide.
Kind regards.

How to Configure ACL to Block Unauthorized VPN Clients Bypassing the Portal

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#17
Options
Re:How can I prevent bypassing web authentication with Psiphon VPN?
2024-08-19 08:04:09
Thank you, it worked. Regarding the same topic, I have created a setup to distribute WiFi over a 2km radius, whereby authentication is required. I want to use TP-Link ER605, eap245, and some 3rd party Outdoor Access Points ( Ruijie RAP6262 (G). I'm using Omada for authentication, but only EAP245 works for authentication process. When I connect the 2nd ethernet Port (Bridge port) of the EAP245 to the 3rd part APs, authentication doesn't. Please help me with how I can integrate the authentication of Omada, using TP-Link ER605, EAP245, and 3rd party Access Points. 
  0  
  0  
#18
Options
Re:How can I prevent bypassing web authentication with Psiphon VPN?
2024-08-19 15:28:23

  @LADCRUST From what you've described, it seems that your current authentication method is tied to the SSID. This type of setup only works with the SSID broadcasted by the EAP245 and won't extend to the network behind the bridged access points.To make the authentication work with your third-party access points, you’ll need to ensure that the authentication method is set to 'Network' type instead of 'SSID' in the Omada controller. The 'Network' type authentication will allow devices connected to the third-party APs to be authenticated via the Omada system, even when bridged through the EAP245.Please check your Omada controller settings and verify the type of authentication you're using. If it's currently set to 'SSID', switching it to 'Network' should resolve the issue when bridging with the third-party APs.

  0  
  0  
#19
Options
Re:How can I prevent bypassing web authentication with Psiphon VPN?
2024-08-19 17:11:23

  @Alex_Mahone okay, thank you. So, on that note, can I use the authentication method with the ER605 router only, using the LAN port, without the involvement of the EAP245? If its possible, will the configuration to block the VPNs be possible?

  0  
  0  
#20
Options
Re:How can I prevent bypassing web authentication with Psiphon VPN?
2024-08-20 04:50:07

  @LADCRUST 

Yes, you can achieve this by following these steps:

  1. Create a New LAN Network:

    • Start by setting up a new LAN network in your Omada controller specifically for your third-party access points.

  2. Configure Authentication:

    • Navigate to Authentication > Portal and select Network.
    • Choose your newly created LAN network (e.g., NewLAN [Network]) for the third-party access points.

  3. Set VLAN ID on the ER605 Port:

    • Assign the VLAN ID on the ER605 port that corresponds to the new LAN network.

  4. Create ACL to Block VPN Bypassing Portal:

    • Implement an Access Control List (ACL) to prevent VPN users from bypassing the portal authentication.

By following these steps, you’ll ensure that your third-party access points are properly integrated and secured within your network.

  0  
  0  
#21
Options
12

Tags

Gateway ACL Highlighted Thread
Related Articles
Having troubles with Web Group Filtering
747 0
Block router web interface on Omada Controller
294 0
SNMPv3 Authentication Method and Encryption Type
1061 2
 Secured Admin, Home, IoT, Cameras and Guest VLAN using Gateway ACL
4811 19
Disconnecting every 5 minutes
1176 0
Next-Server for ER7206 - 6 months in.
911 1
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.