vincent_voo's profile

13 Messages

 • 

254 Points

Wed, Mar 3, 2021 8:59 AM

Can ZD1200 block VPN access like Psiphon ?

Currently we have situation where captive portal can be bypassed  if the client uses VPN connection like Psiphon.

Also understand that network access is not given until the user has authenticated thru captive portal. However some user are still detected possible to access thru internet use VPN software like Psiphon.

Is there possibility application denial policy on ZD1200 able to block this kind of VPN access ?

477 Messages

 • 

5.9K Points

9 m ago

If ZD1200 is configured properly, you should not have such problem. Check your Walled Garden settings.

But anyway, Caprive portal is not secure authentication method. As WISPR is basically authorizing client MAC, it is always possible to circumvent it by cloning already authorized MAC from network, which requires some technical knowledge, but isn't complex in fact. Without getting connection to network no VPN can work, so client connection is established before VPN is run.

You need to find out what exactly is done, reproduce and than you can look on way to disable it.

Simple and safe way would be to use Dynamic-PSK codes instead of Captive portal codes. You can set expiration dates to them, and all communication will be encrypted. 

Without knowing code you have no chance to connect to network, so this will fix all issues, and it will work better than WISPR (which is old protocol not targeting security, but created as a tool to charge users for access). 

13 Messages

 • 

254 Points

I am not sure how Psiphon work but from the vulnerability report it shows captive portal can be bypassed if client using VPN connection thru UDP port 53. 

145 Messages

 • 

2.9K Points

9 m ago

Dear Vincent,

Psiphon is great !! this one circumvents the firewall and tries to establish connections to their own servers. Its one of the best tool I have ever seen.

Let me tell you about the solutions, ZD already has a solution for it, when it was brought to our notice. Our Devs team found that when a client connects to WiFi using Psiphon; its DNS requests would be redirected to their DNS servers, if you drop those requests then client would not be able to use internet when using Psiphon. There are couple of commands that you need to run on the ZD's cli to drop those DNS requests redirected to Psiphon servers and allow only requests destined to your trusted DNS server. I don't have a ZD to test and verify these commands.

Please run below commands and see.

ruckus(config)# portal-auth-force-dns-server 192.168.40.10
The command was executed successfully.
ruckus(config)#

This could also be done by adding a rule on your Firewall too, add a rule to redirect all the DNS requests to your trusted DNS server and drop others. If you do this Psiphon can never be used on your network.

Hope it helps.

Regards.

Abilash PR. 

13 Messages

 • 

254 Points

Hi Abilash,

Thank you for the input. 

Do you mean that Psiphon dns server is 192.168.40.10 ?

145 Messages

 • 

2.9K Points

9 m ago

Hi Vincent,

"192.168.40.10" should be your internal DNS server IP or it could be Google/One DNS server IP, so DNS traffic destined to that IP in this case (192.168.40.10) only will be forwarded and DNS traffic destined to other IP will be dropped.

portal-auth-force-dns-server <your dhcp server>

Hope it helps.

Regards,

Abilash PR

13 Messages

 • 

254 Points

Hi Abilash,

Noted on that. I will try and verify on this.

Thank you for the help.

477 Messages

 • 

5.9K Points

9 m ago

Basically this means that Psiphon uses port 53 to establish VPN connection instead of making DNS requests, so if you allow DNS traffic to any server in unauthorized state,  VPN can be established.

Any firewall can (and should) block that easy enough. DNS IP must be provided by DHCP server, and no other servers should be permitted. But it probably is not the case on many badly configured hotspots around the world, so Psiphon works there.

Of cause, there is a small question, why Psiphon is interested to provide free services, which require quit a few servers to be installed and run on different locations -- what are they benefits from that?

And don't say they are doing it because they want to help users... There may be different reasons -- selling data, mined from this connections, is the best scenario.

(edited)

Official Rep

 • 

1.3K Messages

 • 

17.7K Points

9 m ago

Hi All,

This issue is already fixed in ZD 10.1 or higher versions and for v/SZ 5.2 and above.

If you see this issue on 10.1 or higher version, please report it to support.

Important Announcement