Question Disabling VPN connections by MAC address

[DaveCO]

I’m using an EERO in line with a CenturyLink C4000XG router for home Internet parental controls of a Windows laptop, a Chromebook, and apps/content on Smart TVs. EERO had been working very well for the intended purpose – until kiddo caught wind of how to use free VPNs from posted YouTube content, effectively bypassing the EERO device altogether (thanks for nothing, content creators…).

Wife and I work from home, and we use our company required VPNs daily. But I need to find a reliable way to block any/all VPNs running on the kiddos Windows laptop and the Chromebook.

I’ve called EERO and they don’t have that capability, nor do they plan to (This is a bad Product Management decision, IMHO, because this is a real issue for any parent trying to limit Internet content access. Additionally, because a VPN can tunnel right through the EERO device, it negates the need to have one in the first place. If EERO product sales are not declining yet, they soon will be until this issue is resolved).

I’ve called CenturyLink and they said the question is ‘out of scope’ as a technical support question. In other words, they don’t know or aren’t saying.

Is there a way using a given device’s MAC address to block a VPN connection from being established using a C4000XG? And, if not, is anyone aware of additional hardware I could add to the network that would? Any suggestions and advice appreciated.

 

[kanewolf]

I’m using an EERO in line with a CenturyLink C4000XG router for home Internet parental controls of a Windows laptop, a Chromebook, and apps/content on Smart TVs. EERO had been working very well for the intended purpose – until kiddo caught wind of how to use free VPNs from posted YouTube content, effectively bypassing the EERO device altogether (thanks for nothing, content creators…).

Wife and I work from home, and we use our company required VPNs daily. But I need to find a reliable way to block any/all VPNs running on the kiddos Windows laptop and the Chromebook.

I’ve called EERO and they don’t have that capability, nor do they plan to (This is a bad Product Management decision, IMHO, because this is a real issue for any parent trying to limit Internet content access. Additionally, because a VPN can tunnel right through the EERO device, it negates the need to have one in the first place. If EERO product sales are not declining yet, they soon will be until this issue is resolved).

I’ve called CenturyLink and they said the question is ‘out of scope’ as a technical support question. In other words, they don’t know or aren’t saying.

Is there a way using a given device’s MAC address to block a VPN connection from being established using a C4000XG? And, if not, is anyone aware of additional hardware I could add to the network that would? Any suggestions and advice appreciated.

If your kids are smart enough to use a VPN, then they are smart enough to change the MAC address of the devices. MAC filtering is not the solution, IMO.

 

[COLGeek]

Do your kids have admin access on the devices they use? Or do they have limited user privileges (recommended)?

 

[DaveCO]

If your kids are smart enough to use a VPN, then they are smart enough to change the MAC address of the devices. MAC filtering is not the solution, IMO.

Thanks, kanewolf. Since our work computers are on the same home network as our kid's devices, what approach would you recommend to uniquely identify the kid's devices -- and disallow a VPN connection? Or, would this be some kind of agent running on the devices themselves?

 

[kanewolf]

Thanks, kanewolf. Since our work computers are on the same home network as our kid's devices, what approach would you recommend to uniquely identify the kid's devices -- and disallow a VPN connection? Or, would this be some kind of agent running on the devices themselves?

The question above about admin access is the first thing.

But you are trying to believe there is a technical solution to a sociology problem. There isn't. If they can't use your home internet, they will use their phones, or their friends' phones.
The solution is to have then use technology ONLY in common spaces. No phone/tablet/laptop in their rooms. Your network can't be your nanny.

 

[COLGeek]

The question above about admin access is the first thing.

But you are trying to believe there is a technical solution to a sociology problem. There isn't. If they can't use your home internet, they will use their phones, or their friends' phones.
The solution is to have then use technology ONLY in common spaces. No phone/tablet/laptop in their rooms. Your network can't be your nanny.

And you can't let your kids decide what to install/configure. You need to limit their permissions to the extent you can.

 

[bill001g]

Extremely hard when you can not trust the devices/kids to not violate the rules.

You have 2 kinda big issues.

The first is what is a vpn and how do you identify it. Most vpn have the ability to run on standard HTTPS/443 ports so it looks like web traffic. The chinnese government has found a way to detect a pattern that is different in normal encrypted web traffic and vpn simulating encrypted web traffic. Not something you are going to do with a home router.

You would somehow have to get a list of all the IP addresses vpn services are using and block them that way. Not very realistic.

So what you then attempt is a white list configuration. You block every site in existance then put in lists of sites that are allowed...ie white list them. Very painful to setup unless you can say limit it to maybe the childs school or something.

The second problem is the ability to spoof the mac/ip in your house. This would let them get around a block list where you allow your pc more access than theirs. They could attempt to spoof the mac adderss of your machine. There are very technical methods called 802.1x that can prevent this but it is only kinda supported on wifi in consumer equipment. You still must use enterprise mode and have a radius server function running on some pc.

Maybe a easier way to prevent the spoofing addresses is to put in a second network/router for the kids. You would then put the white list rules on that router...assuming you get a small enough list. Only really works for wifi where you can not tell them the password for you real nework and only the one for their router. Doesn't work real well with ethernet since it is not real hard to wire around physical boxes.

As a side note it is even simpler to bypass the eero than a vpn. All web traffic is now encrypted since our friend snowden ratted out the government for spying on USA citizens. This pretty much killed off any form of parental controls. There was 1 small crack that allowed monitoring. The DNS requests were sent unencrypted. You could see the site being access but not details on usage. That loophole has now mostly been closed. Although it is not on by default on many machines yet all you need to do is enable the encrypted DNS. Now all the DNS packets also look like HTTPS traffic.

So any kind of parenetal controls is more a feature they print on the box than something that is effective in limiting content.

 

[lantis3]

As others have pointed out, it's exteremely hard to block vpns, especially there are always new services/protocols created.

Just a little hope with some thing like firewalla hardware firewall. But sooner or later I believe it will be broken.
https://help.firewalla.com/hc/en-us...w-do-I-detect-and-block-VPN-use-on-my-network