How to block Psiphon

BTee
Here to help

How to block Psiphon

How to block Psiphon which can bypass Meraki authentication. How to block it using Layer 7 firewall rules?

 

Even "Block all access until sign-on is complete" does not work with blocking Psiphon.

 

Current hack to bypass Meraki Authenication

- Connect to the SSID

- Launch the app called Psiphon

- Start the Psiphon VPN

10 REPLIES 10
ConnorL
Meraki Employee
Meraki Employee

"Block all access until sign-on is complete" should block *all* traffic until the splash page has been authenticated against. If you run a packet capture on the MR's LAN, do you definitely see this VPN traffic on the wire?
PhilipDAth
Kind of a big deal
Kind of a big deal

As I understand it @ConnorL , Psiphon is able to run its VPN service entirely using standard DNS queries (it sends the payload inside of actual normal and standard DNS queries).

 

As such, it won't be able to be blocked on Meraki kit at this point in time.

 

 

About the only thing that might work was if an IPS signature was released that could match it.

Just a thought, connect the AP to Cisco Umbrella and route all dns traffic to it.

@PhilipDAth How about Cisco Umbrella? Will it work on blocking Psiphon?

PhilipDAth
Kind of a big deal
Kind of a big deal

>@PhilipDAth How about Cisco Umbrella? Will it work on blocking Psiphon?

 

I don't know the answer to that question.

Psiphon is able to run its VPN service without being blocked by Meraki.
ConnorL
Meraki Employee
Meraki Employee

If I get some free time tomorrow I'll try and lab this at home. If it's causing an issue, i.e. guests are able to traverse traffic without authenticating with your splash page then you can raise a support ticket.

The engineer will then be able to look at your actual configuration as it may be something as simple as a config issue like walled garden etc.

Kind regards,

--

Connor Loughlin
Network Support Engineer

.:|:.:|:. Cisco Meraki EMEAR 🇬🇧

For reference, many questions can be easily answered by searching our online documentation: http://documentation.meraki.com

Just tried it on a test SSID, and yeah, to my amazement it tunnels everything over DNS and worked perfectly. Windows still alerts than DNS isn't working, but web browsing etc works fine.

 

Screenshot 2020-04-28 at 17.12.02.png

 

You'll need to block all DNS, except for Google / OpenDNS / ISP DNS server in order to prevent this. My test network was:

Client ( ( ( ( ) ) ) )  MR <===> MX

 

Blocking DNS on the MR won't work as until the splash is passed all DNS is allowed, you'll need to block it upstream device (MX / Router). I blocked all DNS by blocking port 53 on both TCP and UDP but added an explicit allow for 8.8.8.8 and 8.8.4.4 which prevented Psiphon from connecting.

Thank you @ConnorL how about using Cisco Umbrella?

ConnorL
Meraki Employee
Meraki Employee

I haven't had a chance to try it with the current situation. It's a bit of an overkill just to block this VPN tool so blocking all DNS except your upstream/preferred DNS server is probably easiest there.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.