Application Control and NordVPN

I would like to block access of my clients (PCs) to NordVPN servers, but leaving them free to use OpenVPN and Wireguard to connect to our customers private VPNs.
I enabled application control, blocked NordVPN and enabled Wireguard. But clients are still able to access NordVPN.

According to the firebox logs, client traffic to NordVPN server are incorrectly categorized by application control as Wireguard traffic, and not NordVPN traffic.

Using Application Control signatures 18.217 updated on Jun21/2022, fireware 12.8.

What can I do to block NordVPN access while not blocking WireGuard protocol?


  • james.carsonjames.carson Moderator, WatchGuard Representative
    edited June 2022

    Hi @giox069
    NordVPN (and the majority of their competitors) use wireguard for their product with a custom front-end -- that's why it's being detected as such. From the perspective of the firewall, there's no difference between legitimate wireguard traffic, and Nord from the protocol perspective, which is what application control is working on.

    If you need to allow legitimate wireguard traffic, I'd suggest making a specific policy above your policy that denies it, with the destination FQDNs and/or IPs set to the destination of the allowed wireguard/openVPN servers. Legitimate traffic will hit that policy, and everything else will still hit the existing policy.

    -James Carson
    WatchGuard Customer Support

  • I know that recently NordVPN switched from OpenVPN to Wireguard protocol.

    But... what are the sites or services blocked by "NordVPN" option of Application Control? Is it a useless option?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    It's likely an older signature -- App control signatures are reviewed regularly and removed if they're not useful anymore, so it'll likely fall off the definition set soon if it's not detected anymore.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.