Skip to main content

Block Web Proxies and VPNs

Updated
This article applies only to the Smoothwall On-Premise Appliance, not to our Cloud products.

This article outlines how to implement the firewall, inspection, and filtering controls required to prevent users from bypassing filtering to access content that should be blocked.

There are several ways users can bypass filtering, including:

  • Web proxy anonymiser websites: Websites that have innocent-looking addresses but are portals to other websites. Smoothwall Filter with HTTPS Inspection can inspect the content of these websites and identify them in real time, even if they aren’t in the Blocklist.
  • Web proxy settings on devices: A Web Proxy hides the real URL from web filters by intercepting web requests, and showing an IP host or the IP address of an upstream public proxy server. Smoothwall Firewall can block this traffic using a restrictive firewall policy as detailed below.
  • VPN applications and extensions: VPN applications and extensions create an encrypted connection that hides traffic from analysis and filtering. You must configure Smoothwall Firewall and Filter settings to block this traffic.

Web proxy anonymiser websites operate over HTTP and HTTPS, while VPNs and web proxy settings use a wide range of ports that frequently change and often disguise their traffic as coming from legitimate services. For example, the proxy-avoidance tool Psiphon tunnels web traffic out over TCP Port 53, making it easily mistaken for DNS traffic. 

Because of this, don’t allow all traffic while trying to block specific VPN and Web proxy ports. Instead, block all incoming and outgoing network traffic except the traffic you’ve confirmed is safe. For all devices (managed or unmanaged), follow the instructions below.

Before you begin

If you have managed devices, lock them down so end users can’t install Web Proxy or VPN apps or extensions. Refer to the documentation for the devices used in your organisation.

Step 1: Block traffic through your firewall

  1. Create a list of the services your users’ devices require to function.

      Note

    If you are unsure of the configuration you need, contact your Customer Success Manager about Professional Services.

  2. Devices typically only need HTTP/S and DNS for their most common uses. Provide DNS from a local DNS server with public forwarders or from the Smoothwall Appliance, not from external DNS servers.
  3. Check your Firewall rules:

      Note

    If you use a firewall system other than Smoothwall, follow your provider’s documentation.

    • Ensure your default catch-all Firewall rule is set to Drop all outgoing traffic.
    • Create Allow rules above this for TCP 80 (HTTP), TCP 443 (HTTPS) and any other ports required for specific applications used on your devices.

Step 2: Block traffic using inspection and filtering

  1. Block Quick UDP Internet Connection (QUIC).
  2. Ensure Encrypted Client Hello (ECH) is filtered.
  3. Create a Web Filter Policy to block these categories:
    • DNS over HTTPS
    • Proxies and VPNs
    • All HTTP URLs Containing an IP Address
    • All HTTPS URLs Containing an IP Address
  4. Use the default HTTPS Inspection Policies or create a HTTPS Inspection Policy to Decrypt and Inspect Everything. This ensures Smoothwall Appliance inspects and filters websites for both known content using URL and domain filtering and unknown Web Proxies and VPNs using Real-time content filtering
  5. Edit any Transparent Authentication policy to change the Behaviour to:
    • Block HTTPS traffic with no SNI header.
    • For traffic you need to allow that doesn’t use an SNI header (for example, WhatsApp), use Allow Transparent HTTPS incompatible sites and filter others by using the name from the certificate.