How to block Psiphon which can bypass Meraki authentication. How to block it using Layer 7 firewall rules?
Even "Block all access until sign-on is complete" does not work with blocking Psiphon.
Current hack to bypass Meraki Authenication
- Connect to the SSID
- Launch the app called Psiphon
- Start the Psiphon VPN
As I understand it @MerakiConnor , Psiphon is able to run its VPN service entirely using standard DNS queries (it sends the payload inside of actual normal and standard DNS queries).
As such, it won't be able to be blocked on Meraki kit at this point in time.
About the only thing that might work was if an IPS signature was released that could match it.
Just tried it on a test SSID, and yeah, to my amazement it tunnels everything over DNS and worked perfectly. Windows still alerts than DNS isn't working, but web browsing etc works fine.
You'll need to block all DNS, except for Google / OpenDNS / ISP DNS server in order to prevent this. My test network was:
Client ( ( ( ( ) ) ) ) MR <===> MX
Blocking DNS on the MR won't work as until the splash is passed all DNS is allowed, you'll need to block it upstream device (MX / Router). I blocked all DNS by blocking port 53 on both TCP and UDP but added an explicit allow for 126.96.36.199 and 188.8.131.52 which prevented Psiphon from connecting.