Is is possible (how) to block VPN?

I try to block internet over night by firewall rules, but my kids started to use VPN connection to avoid such blocks. So I want to block VPN connection (refferable to specific devices/MAC addresses).
Is it possible?
If yes how?

You might have a hard time with smart kids if the they know how to spoof the MAC address of their devices and circumvent your counter measure… MAC address filtering is possible through the kernel’s netfilter (IPtables or NFTables as userland).

Another option could be blocking the remote VPN ip/dns/ports but for that you would have to know that info and then again the kids might smarten up and just switch VPN providers. You could also block all egress traffic on non-essential ports/protocols but if the VPN tunnels on TCP port 443 | 853 or UDP port 53 then it is game over (like it is with DNS over TCP), unless you deploy a DPI engine which might be costly on the CPU performance.

What about just giving them access to seperate VLAN with seperate SSID, for which you block internet access at night?

Others (@mrs.crox and @ssdnvv) already mentioned some hints …, i have same idea , so here is my look :slight_smile:

“wifi” has MAC address filtering (LUCI>Network>Wireless ; down there is “interface configuration” and there you have “Mac filter” tab). So you can filter them on each “radio”/wifi. There is also option to have “guest_lan” (guest_wifi) where you can disable forwarding to “wan” zone" (luci > firewall > general settings ; down there is zone section where you can define forwarding between zones. You can create some cron script to enable/disable such forwarding.

Also there is way to do it using traffic rules(iptables), where you just pick ip/port/mac and drop/filter such traffic. As others mention you can look at this from client or/and from vpn provider side.

Also there is SQM/QoS available via Luci app (i did not use it, so far ; is is somehow preinstalled , but disabled by default), but there you can “shape” the traffic as well. So instead of block them, just make the connection slow a low profile. If they want to be hackers, let them use the 2400bauds with 250ms ping line.

As last resort you can shutdown wan/wan6 interface/zone completely :-), or time-to-time …randomly pick 1-5 minutes and do ifdown/ifupd for wan. Same you can achive by restarting “firewall”/“network” service.

Let us know, what worked. And what is the score Kids-vs-Parents …

I don’t understand - how did you block internet before, if the children are still able to reach the VPN endpoints - in the internet? Did you block only specific IPs/domains? The separate VLAN solution really seems like the cleanest.

1 Like

I created internet blocking rules with https://github.com/k-szuster/luci-access-control. It produces firewall rules like this:

 config rule
         option ac_enabled '1'
         option src '*'
         option dest 'wan'
         option proto '0'
         option target 'REJECT'
         option weekdays ' fri sat'
         option name 'Kids-tablet'
         option src_mac 'AA:BB:CC:DD:EE:99'
         option stop_time '08:00:00'
         option start_time '19:30:00'
         option enabled '1'

luci-access-control is great, because it easily can unblock device for 1 hour (e.g. to send school project at evening), so you do not need to again block device.

But after some time I recognized (with yamon there is strong traffic (watching videos?) until 1:00 AM. My spy informed me some kids started to use VPN ;-).

I will try to use suggestions and lets see how it works. I would really love to see some simple application for parents…

That’s weird. If all access to wan from the MAC address is disabled, they wouldn’t be able to connect to the VPN concentrator. Aren’t they spoofing MAC addresses instead (not sure how easily is that done on tablets)

i was looking around for parental control, found this : https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_parent_controls#timely_restriction_of_internet_access
Check the notes there. Seems like active connections before blocking started are not dropped, to do so you might want to reload firewall. I mean only new connection are rejected during blockingtimeframe, old ones are kept alive.(if i understand well , still reading that article:)

They don’t even have to actively spoof a MAC address if you blacklist the kids.
I tried this until I found out that one of my girls’ mobile is using by default a randomized MAC address. That means she circumvented the filter without even knowing what a MAC address is :slight_smile:

My solution is to block by default all traffic to the internet and whitelist those devices how should access it.
This has the advantage that new devices automatically will be blocked. If this is wrong people will come to you and ask politely to give them access :grin:

Peter

adding to network restart (to close open connections) to cron seems to help for a moment :wink: :
29 19 * * 5-6 /etc/init.d/network restart

1 Like