Messages

16

Zenarmor (Sensei) / Re: Home subscription - policy disabling itself

« on: August 13, 2023, 11:58:39 am »

Each time i update zenarmor (i’ve did it rigt now, 13 August 11h53 Paris Time), the IP exempted IP/VLAN in settings are not used anymore even if they are enabled. I need to restart the engine to fix it.

17

Web Proxy Filtering and Caching / Re: Setup for children protection

« on: August 12, 2023, 11:57:01 am »

Hello,

Setup seems ok with AdGuard home on a RPI, a dedicated network and wifi router for kids. Some firewall rules enforce usage of AdGuardHome as DNS server, and disable 443 on udp. Zenarmor try to block DNS over TLS and HTTPS.

But now, my issue is to prevent my kids to use VPN … and it seems to be challenging without full TLS inspection.
Zenarmor does not provide it yet, what kind of tool can give me this kind of protection ? I can add a CA on my device kids, it’s not an issue.

Thanks for the help

18

Zenarmor (Sensei) / Re: Zenarmor and VPN detection

« on: August 11, 2023, 04:52:58 pm »

I've made a simple test :

Deploy a Wireguard VPN server on a cloud VM.

If i use the 51820 default Wireguard server port, zenarmor block the connection from my device
If i use the 52820 port for Wireguard, zenarmor consider it a Generic TCP and not Wireguard VPN

So what is the point to do DPI if a simple port change can fool zenarmor ?

19

Zenarmor (Sensei) / Zenarmor and VPN detection

« on: August 11, 2023, 12:38:23 pm »

Hello,

I'm trying using zenarmor to detect VPN connection from a kids network but it seems that zenarmor has a difficult time to achieve it.

I've blocked all the Proxy gategory (Security and App Controls) but with my results :

Hide.me application bypass zenarmor (hide.me is in the list of the proxy)
1.1.1.1 application with WARP from cloudflare bypass zenarmor

I've a wireguard server and tested it :

   192.168.2.14   -   50307   1X.X.2XX.X   60beb40d093e   109.0.230.182   -   55820   Generic TCPIP   Generic TCPIP   Generic TCPIP

It is seen as Generic TCPIP traffic and not wireguard or VPN traffic and it bypass zenarmor too.

Does someone achieve to block VPN with zenarmor ?

20

Zenarmor (Sensei) / Re: [RESOLVED] Zenarmor Engine 1.14.1 Update Won't Allow by "Item" Only "Category"

« on: August 10, 2023, 07:12:25 pm »

Ok thanks.

The main issue is that  a lot of modern VPN start to use 443 port ... So i think it will be difficult to globally block 443 port if you want to still be able to use internet

21

Zenarmor (Sensei) / Re: [RESOLVED] Zenarmor Engine 1.14.1 Update Won't Allow by "Item" Only "Category"

« on: August 10, 2023, 12:44:20 pm »

It logs Secure Web Browsing for many VPN that I tried.
And with VPN, zenarmor will not see the dns request even in doh or dot.
Some dot or doh servers are not detected by zenarmor, I need to find the one I’ve tried few days ago.

Have you tried the actual VPN services, or only visited their websites? If a VPN connection should be blocked and is not, file a ticket. Zenarmor are friendly and fast to respond.
Same goes for missing DoH servers.

Of course i’ve used the official application of hide.me on ipad and iphone, and the one of cloudflare with WARP on ios/android too. And those VPN are not blocked by zenarmor. I’ve almost success by create a blacklist of some domain with Zenarmor and Adguard, but it still DNS blocking and zenarmor use dpi that is normally better.

You can have a try with the 1.1.1.1 application of cloudflare, it does not require a account or credit card. Hide.me need to create a account but no credit card required for the free version.

22

Zenarmor (Sensei) / Re: [RESOLVED] Zenarmor Engine 1.14.1 Update Won't Allow by "Item" Only "Category"

« on: August 09, 2023, 09:43:00 pm »

It logs Secure Web Browsing for many VPN that I tried.
And with VPN, zenarmor will not see the dns request even in doh or dot.
Some dot or doh servers are not detected by zenarmor, I need to find the one I’ve tried few days ago.

23

Zenarmor (Sensei) / Re: App control sub-categories

« on: August 09, 2023, 08:42:43 pm »

Yes i thought the same way … at least maybe a button with a different color like Orange to show that some of the items are blocked but not all ? An replace Allowed by Custom for eg ?

24

Zenarmor (Sensei) / Re: [RESOLVED] Zenarmor Engine 1.14.1 Update Won't Allow by "Item" Only "Category"

« on: August 09, 2023, 08:40:51 pm »

But does Zenarmor can block VPN ?

I’ve blocked all the proxt categories but my 9 year kid destoyed all mys security just by installing hide.me vpn software on this phone … Same thing for 1.1.1.1 vpn software on ios or android, zenarmor does not block anything regarding VPN (at least to my setup).

So what is the point to block doh or dot (and not always, i’ve tried some doh and dot dns servers anf there are not block by zenarmor too) or to have dpi if a simple free vpn software can bypass all the security of opnsense and zenarmor ? Every VPN on 443 are not seen as VPN by zenarmor …

So i’m really confused …

25

Zenarmor (Sensei) / Re: Home subscription - policy disabling itself

« on: August 09, 2023, 08:35:42 pm »

Same thing for me, policies are disabled after an zenarmor update

26

Zenarmor (Sensei) / Re: Zenarmor Engine 1.14.1 Update Won't Allow by "Item" Only "Category"

« on: August 08, 2023, 02:24:28 pm »

Same thing here :

I've only Blocked in Network Management
DNS over TLS
DNS over HTTPS

and now DNS and NTP is not working (they are in allow mode like the rest ...)

27

Zenarmor (Sensei) / Re: Zenarmor 1.14: 'Network error' after upgrading & fresh install stuck on wizard

« on: August 07, 2023, 10:15:50 am »

I did an install with using the management IP of the FW and it works this time.

I'm now able to create policies etc ...

But i can not still use zenarmor with the opnsense.localdomain name, only with the private ip

28

Zenarmor (Sensei) / Re: Zenarmor: 'Network error' after upgrading & fresh install stuck on wizard

« on: August 07, 2023, 07:45:05 am »

I've a opnsense installed on my home network.

I've tried to update zenarmor 1.14 and i've the same issue "Network Error".

I reach my opnsense device with https://opnsense.localdomain url (private one).

After updating zenarmor or try to reinstall it, the network connection come from the issue that zenarmor web ui try to fetch the js/css/img/html component from my WAN ip address and not the 192.168.1.1/opnsense.localdomain url ... + issue with CORS policy because of the mismatch of the 2 domains/ips

I think there is something wrong with the setup and the WAN address must nor be used to serve the web ui of zenarmor

Even the uninstall tab does not work with the same "Network Error", so i can not send a ticket to support directly

So for now, no more zenarmor on my system to protect my kids devices ... I'm in my trying period and was ready to buy a subscription, but with this faulty upgrade, i'm starting to look other products.

29

Web Proxy Filtering and Caching / Re: Setup for children protection

« on: June 15, 2023, 11:48:27 am »

Thanks,

I've started to do this kind of setup. I used an Airport Time Capsule on a dedicated port in the OPNSense firewall (i've 4x2.5Gb port) and the kids are using this Wifi network only.

But with Unbound, how do you create separated profil for blocking list ? Like an adult one for this Interface (LAN for eg) and a kids one for an another (Kids in my setup).
It seems that the same "profile" and blocking list is applied for both (or i didn't understand or find it)

Zenarmor seems to have this features but only in the paid version.

30

Web Proxy Filtering and Caching / Re: Setup for children protection

« on: June 07, 2023, 10:50:22 am »

I've a Apple Airport Extreme that i can use as a AP for my kids and use it in a dedicated port.

so WAN, LAN and KIDS.

What is the better between using dedicated port or use a switch with VLAN ? For performance and management ?

In the cas of using 3 ports (WAN, LAN and KIDS), does the client in the KIDS network will be able to use Network Discovery or Bonjour protocol or multicast between LAN and KIDS easily ?

Basically in LAN i will have NAS, Roon Server, Computer, Sonos Speakers and in KIFS i will have phone and tablet and Sonos Speakers which nee to discover (and be discover) with some LAN assets.
So no issue here with the good settings ? I can too use local DNS name for each network ?

My aim is to use a adguard home in the KIDS network (rpi4 connected to aiport extreme) and enforce wifi connected device to the airport to use adguard home as DNS servers (no need to filter MAC or anything in this case). [I'm thinking to zenarmor too witj policy based only on the KIDS interface, but i will try it for free before jumping to a subscription]

Sorry for some dumb questions, i've some knowlege about network but not so deep as yours 

I've some issue with my double NAT network right know (modem/router without bridge mode and Asus XT8 wifi router set as router to have parental control and filtering enable and wireguard). And in this setup the discovery between devices does not work  (maybe i didn't set up correctly or this simple netwok device does not bring so much control to do that).

Again, thanks for you help !