Unable to block Hotspot Shield and Betternet VPN

Hi Vineeth Penugonda

Please check by creating the DNS service base firewall rule as shown below and create separate application filter policy  to block high risk application as per link and apply on same  DNS service base firewall rule.

Please try the below steps too in case the application still not getting blocked : 

CLI settings

1. Sign in to the Sophos XG Firewall's console and select 4. Device Console.
2. Verify the current configuration by issuing the following commands.
   show advanced-firewall
show ips-settings
3. Issue the following commands for the recommended settings.
   set advanced-firewall midstream-connection-pickup off
set ips maxsesbytes-settings update 0
set ips maxpkts 80
set ips packet-streaming on

GUI settings

Application filter policy settings

Along with P2P and Proxy and Tunnel category, applications listed below must be denied in the application filter policy. In case of CROS Micro App should be enabled in Application filter Policy.

• DNS Multiple QNAME
• OpenVPN
• QUIC
• DNSCrypt

Firewall rule settings

The same application filter policy (as configured above) must be applied to DNS Firewall rule as well, if there is any.

For Psiphon Proxy

1. HTTPs scanning needs to be enabled in firewall rule 
2. Web filter policy with below categories denied must be applied to the firewall rule
   1. IPAddress
   2. None
   3. Parked Domains
   4. Spam URLs (Available only in XG)
   5. Anonymizers
   6. Spyware & Malware
3. Please go to PROTECT-->Web --->General Settings under HTTPS decryption and scanning, tick mark  Block Invalid Certificates and Block unrecognized SSL protocols
4. Allow only HTTPS, HTTP, DNS, ICMP, SMPT etc. services (essential services) on LAN→WAN; if Psiphon is connected even after following above 3 steps.

Thanks and Regards

Hi Bharat,

I tested with all the settings you provided. I am able to block "Hotspot Shield" by blocking "www.hsselite.com" and blocking "Risk 4 and Risk 5 apps" in the applications filter. 

Interestingly, the Applications Filter detects the Hostspot Shield as "Facebook Website". (Attached Screenshot). 

Sometimes, Psiphon Proxy is detected by the Applications Filter and blocks it. Users are still able to use "Psiphon Proxy" and "Betternet VPN".

The issue is that it appears to use the proxy from my investigation and it not blocked in the proxy. I have tried blocking IP addresses, urls but to no avail and none the addresses appear in log viewer.

Still investigating

Ian

I tried looking at the traffic for Betternet VPN too. I will try to spin up an android virtual image and check the traffic flow for the application.

I have been working this issue most of the afternoon without great success. I broke my users access to the internet by blocking https in a specific rule that stopped the VPN. I had to use my CM access to restore connectivity. I have searched to see if I can identify the servers it uses to no avail. I d have a list of IP addresses but that continual grows so maintaining it would be a pain. Using betternet co or betternet.com does not return any results that get blocked except web access.

It uses 443 to access the internet but how because nothing is logged, no error messages are created or displayed. I would have build a network analyser to hang across the output of the Mac mini to see what is happening. While it might be installed as betternet vpn it obviously does not identify itself as that when setting up the tunnel.

Very frustrating.

Ian

I was able to block Betternet VPN on the iPhone once by listing all the IP addresses it connects to. I uninstalled the application and redownloaded it after a few weeks. It was able to connect again. Sophos is able to block Betternet VPN chrome browser extension but not the iPhone app. I will try it out on the mac mini and check too.

Hope we come up with a working solution soon! :) 

So, in summary the classification is not complete, there is more to this vpn than Sophos appears to have tested.

ian

Yeah. Is there any way we can reach out to the team which works on detecting app IDs and updating the signatures? I would like to report that Hotspot Shield is being misclassified as "Facebook Website" and Betternet VPN is able to bypass the firewall even if it is added to the applications filter.

I did a packet capture of Betternet VPN. It is disguising itself as WhatsApp/Twitter/Facebook. This explains why Hotspot Shield was being detected as Facebook Website by the firewall. I have seen references to Hotspot Shield (Anchorfree) inside Betternet VPN's application folder.