In our office, some of the techie co-workers were able to surf anything they want because they were using VPN. I really don't understand why. I've already set the category tunneling and proxy in app control as drop, still, they're able to use vpn such as psiphon, openvpn, and etc., but other than that, all blockings in the app control are working. Is there anything else that needs to be set in order for the blockings to work?
Sign In to comment.
On what policies do you have this App Control set?
Most likely OpenVPN is using TCP port 443 (HTTPS).
"Psiphon network can only be made to a restricted set of server ports including: 53, 80, 443, 465, 587, 993, 995, 8000, 8001, 8080 ."
Presumably Psiphon does some sort of DNS lookup to connect to an appropriate server.
If so, use of a DNS proxy with a Deny for those Domain Names in Query Names would prevent this access.
Logging on Query Names will show you what DNS resolution is being accessed, for potential blocking.
For HTTPS access, WG says that Inspect on a HTTP proxy improves detection of applications for App Control.
Consider opening a support incident to get the help of a WG rep in controlling the user's VPN access.
If you do not block all unneeded outgoing ports (egress filtering), consider doing so. Many consider this to be a "best practice".
Sometimes the best method is something from your Personnel Office making doing this an employment violation with potential punishment of being fired or other substantial negative result (poor performance review and/or salary impact, etc.).
Default VPN policies are wide open. I disable those and add my own, This is true for BOVPN default policies.