How can I prevent bypassing web authentication with Psiphon VPN?
How can I prevent bypassing web authentication with Psiphon VPN?
As the Wi-Fi service provider, we've discovered a problem. Even though users should log in with a username and password, they can avoid this by using Psiphon VPN. This means they get internet access without logging in. It's bad for our business. We need to fix this fast.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Tried same setup with my er605v2+eap-115 and results were same. Exclamation mark on WiFi icon indicating no internet connection but surfing web normally with psiphon pro running in background. Will conduct more tests later. Tried same thing with few public hotspots that require you to log-in (mikrotik,ubiquiti) and all of them exhibit same problem. Interesting....
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
Alex_Mahone wrote
Please check your inbox. I have already sent the router configuration backup file. The firmware version of the router is 1.4.1 Build 20240117 Rel.57421, and the hardware version is V1.0.
Best Regards!
Here's the reply, it is doable.
Due to the portal landing page being necessary to be accessed, TCP/UDP 53 is allowed. Psiphon will use 53 to establish the VPN tunnel with the server. Which will bypass the portal authentication.
For this issue, you can set up ACL to stop this unauthorized connection. The goal is to block TCP and UDP 53.
Create a service with TCP and UDP 53. SRC port = All. DST = TCP/UDP 53.
Direction = LAN -> WAN
SRC IP = portal subnet.
DST IP = Any.
In addition to making it more secure, you can also set up DHCP.
One Allow, one deny. First one is Allow DNS. Second one is blocking. Note that the first entry is set to be !DNS_server. You also need to create this IP group in your Preference settings to specify your DNS server.
Pictures were zipped during the conversation. Yet, still readable.
BTW, it does not affect the afterwards connection. VPN still can function.
- Copy Link
- Report Inappropriate Content
It worked properly. Thank you for your helpful approach in fixing this issue. Your solution is incredibly valuable and truly appreciated. Thanks again.
Best Regards!
- Copy Link
- Report Inappropriate Content
@Clive_A hi, im facing the same challenge, could you pleaseshare with me the same information (HD pics)
- Copy Link
- Report Inappropriate Content
@Clive_A Hi , I'm facing a problem with Psiphon users hacking into my captive portal hotspot, and using my data. Could you please help me on how I can block Psiphon and other VPNS? I appreciate any help you can provide.
Kind regards.
- Copy Link
- Report Inappropriate Content
Hi @LADCRUST
LADCRUST wrote
@Clive_A Hi , I'm facing a problem with Psiphon users hacking into my captive portal hotspot, and using my data. Could you please help me on how I can block Psiphon and other VPNS? I appreciate any help you can provide.
Kind regards.
How to Configure ACL to Block Unauthorized VPN Clients Bypassing the Portal
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@LADCRUST From what you've described, it seems that your current authentication method is tied to the SSID. This type of setup only works with the SSID broadcasted by the EAP245 and won't extend to the network behind the bridged access points.To make the authentication work with your third-party access points, you’ll need to ensure that the authentication method is set to 'Network' type instead of 'SSID' in the Omada controller. The 'Network' type authentication will allow devices connected to the third-party APs to be authenticated via the Omada system, even when bridged through the EAP245.Please check your Omada controller settings and verify the type of authentication you're using. If it's currently set to 'SSID', switching it to 'Network' should resolve the issue when bridging with the third-party APs.
- Copy Link
- Report Inappropriate Content
@Alex_Mahone okay, thank you. So, on that note, can I use the authentication method with the ER605 router only, using the LAN port, without the involvement of the EAP245? If its possible, will the configuration to block the VPNs be possible?
- Copy Link
- Report Inappropriate Content
Yes, you can achieve this by following these steps:
-
Create a New LAN Network:
- Start by setting up a new LAN network in your Omada controller specifically for your third-party access points.
-
Configure Authentication:
- Navigate to Authentication > Portal and select Network.
- Choose your newly created LAN network (e.g.,
NewLAN [Network]
) for the third-party access points.
-
Set VLAN ID on the ER605 Port:
- Assign the VLAN ID on the ER605 port that corresponds to the new LAN network.
-
Create ACL to Block VPN Bypassing Portal:
- Implement an Access Control List (ACL) to prevent VPN users from bypassing the portal authentication.
By following these steps, you’ll ensure that your third-party access points are properly integrated and secured within your network.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2712
Replies: 20
Voters 0
No one has voted for it yet.