Hi,
I'm facing a situation where hosts on network are using VPN via 443 port. Looks like non HTTPS packets are going via TCP/443 port.
Setup is new, and I would like a suggestion about the quickest solution to avoid this kind of misuse.
Is there any kind of protocol standards validation that could be applied on rules? Or IPS (Suricata) would solve this problem?
Thanks a lot.
Rafael
You could use squid to force a transparent web proxy on 443, only sni inspection without tls termination, should be enough to kill most vpns.
Another way would be zenarmor with application filter.
Though stopping the misuse totally is almost impossible.
E.g when using openvpn on tcp 443 with obfuscation, or something like a websocket tunnel https://github.com/erebe/wstunnel, is almost undetectable.
Best to just let it through... that fight cannot be won.
You could do one of two things:
1. Check, were that VPN traffic is going to and block those IPs / ASN in the cloud. That will work only if there is some fixed couterpart in the cloud where this is headed to.
2. Install a proxy and transparently redirect all traffic that goes to port 443 on outbound connections to that proxy (https://docs.opnsense.org/manual/how-tos/proxytransparent.html). If the traffic does not adhere to HTTPS standards, it will be blocked. If it does, you can see where it is going to because of SNI and block that site.