Hi all.

I have been working with my TP-LINK TL-WR841N and OpenWrt Attitude Adjustment 12.09.

My ultimate goal is to have a children save enviroment on my home network (Porn filtered)

I have an opendns account with the corresponding filters on, then I set up the DNS on LUCI, and added this on Network->Firewall->Custom Rules, to prevent bypassing my dns setup:

  iptables -t nat -I PREROUTING -s 192.168.1.0/24 -p udp --dport 53 -j DNAT --to 192.168.1.1
  iptables -t nat -I PREROUTING -s 192.168.1.0/24 -p tcp --dport 53 -j DNAT --to 192.168.1.1

I also followed this threath (page2) to block adds:
https://forum.openwrt.org/viewtopic.php?id=35023

Everything was perfect, until I begun searching for Bitorrent Blocking and read about VPNs, and how can "anyone bypass all the router firewall config" (This statement may be wrong, but thats the way I got it). So I took my iPad added a free VPN app, and ... yep, it bypassed all my beautiful setup. I could access porn sites, the adds were everywhere again and so on.

So I started searching about VPNs and found the ports they usually work. I added this rules on LUCI to Network->Firewall->Custom Rules:

iptables -t nat -I PREROUTING -p tcp --dport 1723 -j DROP
iptables -t nat -I PREROUTING -p tcp --dport 47 -j DROP
iptables -t nat -I PREROUTING -p udp --dport 500 -j DROP
iptables -t nat -I PREROUTING -p udp --dport 4500 -j DROP
iptables -t nat -I PREROUTING -p udp --dport 50 -j DROP
iptables -t nat -I PREROUTING -p udp --dport 51 -j DROP
iptables -t nat -I PREROUTING -p udp --dport 1701 -j DROP

But it didn't work at all. I played with  this setup a little and use various convinations with REJECT as well, but no good.

I also search throw several websites, but haven't find a conclusive answer. So here I am asking for help:

How can I block/prevent VPNs on my network?

Blocking, Rejecting or even allow them but giving 0 Kb/s bandwith would be the point.

Thanks in advance.

VPNs can go through pretty much every port that is open to the outside world, and one port is enough. In order to prevent a VPN tunnel opened from inside your network you'd have to completely seal off your network and only allow outside access through proxies. No open ports, just proxies on the inside.

If I may add a personal evaluation of the situation: I can see the desire to filter out ads and x-rated stuff in order to prevent your children from being accidentally exposed to that stuff. But if someone on the inside actively tries to get to certain content there are always ways around a filter, be it VPNs or proxies/proxy chains or gateway websites. I don't think there is a technolgical solution to this problem, you might want to have a talk with your kids about stuff rather than trying to lock them up and possibly even encourage them to try to find ways around that.

(Last edited by metai on 26 Jul 2014, 23:33)

Thanks for the reply.

While I fully agree with your inside 'education at home must be and is the first shell in kids formation', I am really looking for a way to prevent this by technology as well.

Can you help me a little on the way to go to acomplish this proxy conectivity? I mean do I have to setup a proxy machine diferent than the router or could this be done on the router it self? Do I need some kind of proxy account with an external provider?

If you could guide me in what to look for, that would help me a lot.

Thank you so much.

I'd just like to point out that I fully agree with metais post, so I'll just leave it at that without repeating him. Here are some basic suggestions given that you have already understood the difficulty of blocking VPNs and such completely.

You don't need an account with any service provider (I can't think of any service provider you could choose to use anyway). You need a computer to run as an HTTP proxy server. This could in theory be your router, but depending on the amount of simultaneous users/traffic it might not be powerful enough. RAM may be an issue too, as the WR841N has only 32 MB. It can really be any computer, the point is all computers connect to the internet through the proxy computer. The proxy is the only device allowed to access the internet, so all other devices must connect through it.

Tinyproxy is targeted as a proxy for embedded environments, and available as a package for both AA and BB, there is a LuCI app for it as well. I haven't used it myself, but it seems to fit your use case in part. Tinyproxy will be the proxy computers connect to (or are redirected to as transparent proxy, through firewall rules), but it doesn't look like it has the extensive content filtering capabilities I suppose you want. DansGuardian is a well-known content filter, and I can't think of any alternatives. I don't know how well DG runs on an embedded device. I don't have personal experience with setting up such a proxy, but those should be the applications you need. Google tells me there are several guides on how to use DansGuardian with Tinyproxy.

(Last edited by makro on 27 Jul 2014, 01:00)

While I agree mostly with both the above responses I should add that it is impossible in practice to completely prevent VPNs technologically. Especially given the prevalence of SSL VPNs these days (particularly corporate VPNs) which are specifically designed to bypass any firewall or proxy. There are various advanced hacks that can often create rudimentary VPN tunnels even from devices unable to access any web pages, merely through spoofed DNS and ICMP packets, but that's getting a bit extreme when widely available solutions already work on any computer with the ability to load any web page.

You can try all you want, and you can make it harder, but you won't ever get anywhere close to airtight. It works the same as any other security system, passwords, encryption, etc. you could block 99% of attacks but you cannot ever make anything 100% secure (although in this case IMO you're unlikely to even get anything 50% effective). Security just tries to make breaching it difficult enough that most people can't be bothered. Quite how far the users of your internet connection are willing to go to defeat a porn filter though I have no clue about, and is really your business.

(Last edited by qasdfdsaq on 27 Jul 2014, 03:29)

Well thanks for the responses, even I'm not happy, you people did answer me.

It's disappointing, but thank you for clearing things.

PD: Don't know if I'm supposed to "mark as solved" or some thing.