This allows anyone anywhere to bypass their content filter since the traffic in now through a VPN (A safe and secure tunnel).
This is part of an internal post by Darren Crithley to the KDI techinican support team which I think if of real value to general public.
The kids at one of the schools are circumventing the NetSentron using this:
http://www.hotspotshield.com/
It is an installable program that becomes a proxy on their own PC and allows them to get past the NetSentron.
It is actually a VPN endpoint with a proxy that runs on your localhost (127.0.0.1)
It is using OpenVPN as a VPN client and they have set up some websites that are the endpoints. So far 68.68.108.3 and 68.68.108.4
There have been a lot of these VPN bypasses showing up of late and this one is pretty slick.
But I am able to block it, so here are the instructions for you to block it:
———————————————————————–
Go to Firewall->IP Block
Choose Protocol:udp
Source IP or network: 68.68.108.0/24
port: *
Drop Packet
Direction: In and Out bound packets
Enabled (yes)
Do the same for TCP
Choose Protocol:tcp
Source IP or network: 68.68.108.0/24
port: *
Drop Packet
Direction: In and Out bound packets
Enabled (yes)
I have probably blocked off more than I should have with the /24, but I figured that they may have a block of IP’s. You can try just the 68.68.108.3 and 68.68.108.4 (udp/tcp)
———————————————————————–
Now here is the tech part on how to figure this out if the kids are using a different product to bypass:
These bypasses are VPN’s and therefore they need to connect to “somewhere” so they can surf the net. That “somewhere” is what we will block.
If someone is not already using the bypass product, then install it on your laptop or computer.
Next, run it and connect to what should be a banned site.
Then look at the connections analysis on the NetSentron, I suspect you will see a connection to a weird port (either tcp or udp)
Stop the bypass product on the PC or laptop
Add the IP address and ALL ports to IP Block, set in and out packets.
Run bypass product again and see what shows up.
Keep doing this until you get all the IP’s
This hotspot shield was pretty slick, when I blocked all the UDP ports for it, it switched over to TCP and connected again. Once I had the tcp and udp blocked, that was the end of it (until they get another block of ip addresses).