cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to block Psiphon

Highlighted
Here to help

How to block Psiphon

How to block Psiphon which can bypass Meraki authentication. How to block it using Layer 7 firewall rules?

 

Even "Block all access until sign-on is complete" does not work with blocking Psiphon.

 

Current hack to bypass Meraki Authenication

- Connect to the SSID

- Launch the app called Psiphon

- Start the Psiphon VPN

10 REPLIES 10
Highlighted
Meraki Employee

Re: How to block Psiphon

"Block all access until sign-on is complete" should block *all* traffic until the splash page has been authenticated against. If you run a packet capture on the MR's LAN, do you definitely see this VPN traffic on the wire?
Highlighted
Kind of a big deal

Re: How to block Psiphon

As I understand it @MerakiConnor , Psiphon is able to run its VPN service entirely using standard DNS queries (it sends the payload inside of actual normal and standard DNS queries).

 

As such, it won't be able to be blocked on Meraki kit at this point in time.

 

 

About the only thing that might work was if an IPS signature was released that could match it.

Highlighted
Here to help

Re: How to block Psiphon

Just a thought, connect the AP to Cisco Umbrella and route all dns traffic to it.
Highlighted
Here to help

Re: How to block Psiphon

Psiphon is able to run its VPN service without being blocked by Meraki.
Highlighted
Here to help

Re: How to block Psiphon

@PhilipDAth How about Cisco Umbrella? Will it work on blocking Psiphon?

Highlighted
Kind of a big deal

Re: How to block Psiphon

>@PhilipDAth How about Cisco Umbrella? Will it work on blocking Psiphon?

 

I don't know the answer to that question.

Highlighted
Meraki Employee

Re: How to block Psiphon

If I get some free time tomorrow I'll try and lab this at home. If it's causing an issue, i.e. guests are able to traverse traffic without authenticating with your splash page then you can raise a support ticket.

The engineer will then be able to look at your actual configuration as it may be something as simple as a config issue like walled garden etc.

Kind regards,

--

Connor Loughlin
Network Support Engineer

.:|:.:|:. Cisco Meraki EMEAR 🇬🇧

For reference, many questions can be easily answered by searching our online documentation: http://documentation.meraki.com
Highlighted
Meraki Employee

Re: How to block Psiphon

Just tried it on a test SSID, and yeah, to my amazement it tunnels everything over DNS and worked perfectly. Windows still alerts than DNS isn't working, but web browsing etc works fine.

 

Screenshot 2020-04-28 at 17.12.02.png

 

You'll need to block all DNS, except for Google / OpenDNS / ISP DNS server in order to prevent this. My test network was:

Client ( ( ( ( ) ) ) )  MR <===> MX

 

Blocking DNS on the MR won't work as until the splash is passed all DNS is allowed, you'll need to block it upstream device (MX / Router). I blocked all DNS by blocking port 53 on both TCP and UDP but added an explicit allow for 8.8.8.8 and 8.8.4.4 which prevented Psiphon from connecting.

Highlighted
Here to help

Re: How to block Psiphon

Thank you @MerakiConnor how about using Cisco Umbrella?

Highlighted
Meraki Employee

Re: How to block Psiphon

I haven't had a chance to try it with the current situation. It's a bit of an overkill just to block this VPN tool so blocking all DNS except your upstream/preferred DNS server is probably easiest there.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.