Difference between revisions of "How to Detect and Block Hotspot Shield program traffic(openvpn application)"

From MikroTik Wiki
Jump to: navigation, search
m (HOTSPOT-SHIELD)
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
Some companies and organizations has its own security policy
+
Some companies and organizations has its own security policy ,
sometimes they use OPENDNS addresses in order to prevent users in these companies and organization from accessing certain web sites but there are many PROXY and VPN client programs that can help you bypass these policies and one of the most famous and fastest VPN client program is Hotspot-Shield
+
sometimes they use OPENDNS addresses in order to prevent users in these companies and organization from accessing certain web sites .But there are many PROXY and VPN client programs that can help you bypass these policies and one of the most famous and fastest VPN client program is Hotspot-Shield
it is free program and easy to install and use
+
, it is free program and easy to install and use
keep in your mind that this kind of prgrams doesn't use specific TCP ,UDP ports to establish VPN connection with different VPN server around the world so it do port hopping and it is use a well known port number to communicate with VPN server which is 443 as its destination port address
+
so keep in your mind that this kind of prgrams doesn't use specific TCP ,UDP ports to establish VPN connection with different VPN server around the world so it do port hopping and it is use a well known port number to communicate with VPN server which is 443 as its destination port address , i have tried to block with TCP or UDP port addresses
i have tried to block with TCP or UDP port addresses
+
also when i block 443 it can not establish connection with VPN server.
also when i block 443 it can not establish connection with VPN server
 
 
i have tried to block it using OPENDNS but no way   
 
i have tried to block it using OPENDNS but no way   
 
after searching in many web sites i found that  i can block this program if i have a digital signature for it  
 
after searching in many web sites i found that  i can block this program if i have a digital signature for it  
but i don't have  
+
but i don't have .
 
also i found we can  match on connection with tcp port 80 content 127.0.0.1:895 in order to see the traffic that program send it .although that we can match the traffic but we can not block it  
 
also i found we can  match on connection with tcp port 80 content 127.0.0.1:895 in order to see the traffic that program send it .although that we can match the traffic but we can not block it  
  
Line 21: Line 20:
 
     address-list-timeout=1h chain=prerouting comment=HotSpotShieldUsers \
 
     address-list-timeout=1h chain=prerouting comment=HotSpotShieldUsers \
 
     content=127.0.0.1:895 disabled=no dst-port=80 protocol=tcp
 
     content=127.0.0.1:895 disabled=no dst-port=80 protocol=tcp
 +
    add action=add-dst-to-address-list address-list=WhiteList \
 +
    address-list-timeout=4w2d chain=prerouting comment=WhiteList content=\
 +
    !127.0.0.1:895 disabled=no dst-port=443 protocol=tcp
  
  
Line 39: Line 41:
 
,in order to do this you have  to use these extra rules
 
,in order to do this you have  to use these extra rules
 
in DNS and DHCP
 
in DNS and DHCP
i am using opendns , also you use any other dns server addresses
+
i am using opendns , also you can use any other dns server addresses
  
 
use opendns server addresses
 
use opendns server addresses

Latest revision as of 14:36, 29 April 2011

Some companies and organizations has its own security policy , sometimes they use OPENDNS addresses in order to prevent users in these companies and organization from accessing certain web sites .But there are many PROXY and VPN client programs that can help you bypass these policies and one of the most famous and fastest VPN client program is Hotspot-Shield , it is free program and easy to install and use so keep in your mind that this kind of prgrams doesn't use specific TCP ,UDP ports to establish VPN connection with different VPN server around the world so it do port hopping and it is use a well known port number to communicate with VPN server which is 443 as its destination port address , i have tried to block with TCP or UDP port addresses also when i block 443 it can not establish connection with VPN server. i have tried to block it using OPENDNS but no way after searching in many web sites i found that i can block this program if i have a digital signature for it but i don't have . also i found we can match on connection with tcp port 80 content 127.0.0.1:895 in order to see the traffic that program send it .although that we can match the traffic but we can not block it

if you want to block this traffic in mikrotik v3.30 you have to add these rules into mangle and firewall

mangle rules

   ip firewall mangle
   add action=add-dst-to-address-list address-list=WhiteList \
   address-list-timeout=4w2d chain=prerouting comment=WhiteList content=\
   !127.0.0.1:895 disabled=no dst-port=80 protocol=tcp
   add action=add-src-to-address-list address-list=HotSpotShieldUsers \
   address-list-timeout=1h chain=prerouting comment=HotSpotShieldUsers \
   content=127.0.0.1:895 disabled=no dst-port=80 protocol=tcp
   add action=add-dst-to-address-list address-list=WhiteList \
   address-list-timeout=4w2d chain=prerouting comment=WhiteList content=\
   !127.0.0.1:895 disabled=no dst-port=443 protocol=tcp


firewall rules

   ip firewall filter
   add action=log chain=forward comment="Allow WhiteLists" disabled=no \
   dst-address-list=WhiteList log-prefix=WhiteLists
   add action=accept chain=forward comment="" disabled=no dst-address-list=\
   WhiteList
   add action=log chain=forward comment="\"Block HotSpot Shield\"" disabled=no \
   log-prefix=HotSpotShield src-address-list=HotSpotShieldUsers
   add action=drop chain=forward comment="\"Block HotSpot Shield\"" disabled=no \
   src-address-list=HotSpotShieldUsers

Note: if you use only these rules in firewall filter and mangle you will block all traffic from users that are using hotspot shield but if you want to block only traffic that belongs to hotspot shield and allowing users that are using this program to access the internet but not through hotspot shield program ,in order to do this you have to use these extra rules in DNS and DHCP i am using opendns , also you can use any other dns server addresses

use opendns server addresses

   ip dns
   set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
   max-udp-packet-size=512 primary-dns=208.67.222.222 secondary-dns=\
   208.67.220.220

you have to Make your Mikrotik router(DNS Relay) as DNS server for your Customers in DHCP

    ip dhcp-server
    add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=LAN lease-time=3d name=dhcp1
    /ip dhcp-server config
    set store-leases-disk=5m
    /ip dhcp-server network
    add address=192.168.117.0/24 comment="" dns-server=192.168.117.200 gateway=\
    192.168.117.200

DNS server for users in my network is 192.168.117.200