Unable to block Hotspot Shield and Betternet VPN

Hi guys,

I have been trying to block the hotspot shield and Betternet VPN. I have included them in the Applications Filter.

I created a support ticket with Sophos and we were able to block the said applications by decrypting HTTPS using web proxy. It is also blocking other applications like Facebook, Instagram, etc. I can't deploy CA certificates on the end devices for HTTPS decryption. 

The client is able to download the applications and use them. The firewall isn't blocking the hotspot shield and Betternet VPN traffic.

I am looking for a way to block those applications using DPI/Applications Filter. These apps use TCP, 443 port. 

I am using an XGS 136.



Edited TAGs
[edited by: emmosophos at 12:32 AM (GMT -7) on 23 Jun 2022]

Top Replies

Parents
  • Hi Vineeth Penugonda

    Please check by creating the DNS service base firewall rule as shown below and create separate application filter policy  to block high risk application as per link and apply on same  DNS service base firewall rule.

    Please try the below steps too in case the application still not getting blocked : 

    CLI settings

    1. Sign in to the Sophos XG Firewall's console and select 4. Device Console.
    2. Verify the current configuration by issuing the following commands.
      show advanced-firewall
      show ips-settings
    3. Issue the following commands for the recommended settings.
      set advanced-firewall midstream-connection-pickup off
      set ips maxsesbytes-settings update 0
      set ips maxpkts 80
      set ips packet-streaming on

    GUI settings

    Application filter policy settings

    Along with P2P and Proxy and Tunnel category, applications listed below must be denied in the application filter policy. In case of CROS Micro App should be enabled in Application filter Policy.

    • DNS Multiple QNAME
    • OpenVPN
    • QUIC
    • DNSCrypt

    Firewall rule settings

    The same application filter policy (as configured above) must be applied to DNS Firewall rule as well, if there is any.

    For Psiphon Proxy

    1. HTTPs scanning needs to be enabled in firewall rule 
    2. Web filter policy with below categories denied must be applied to the firewall rule
      1. IPAddress
      2. None
      3. Parked Domains
      4. Spam URLs (Available only in XG)
      5. Anonymizers
      6. Spyware & Malware
    3. Please go to PROTECT-->Web --->General Settings under HTTPS decryption and scanning, tick mark  Block Invalid Certificates and Block unrecognized SSL protocols
    4. Allow only HTTPS, HTTP, DNS, ICMP, SMPT etc. services (essential services) on LAN→WAN; if Psiphon is connected even after following above 3 steps.

    Thanks and Regards

Reply
  • Hi Vineeth Penugonda

    Please check by creating the DNS service base firewall rule as shown below and create separate application filter policy  to block high risk application as per link and apply on same  DNS service base firewall rule.

    Please try the below steps too in case the application still not getting blocked : 

    CLI settings

    1. Sign in to the Sophos XG Firewall's console and select 4. Device Console.
    2. Verify the current configuration by issuing the following commands.
      show advanced-firewall
      show ips-settings
    3. Issue the following commands for the recommended settings.
      set advanced-firewall midstream-connection-pickup off
      set ips maxsesbytes-settings update 0
      set ips maxpkts 80
      set ips packet-streaming on

    GUI settings

    Application filter policy settings

    Along with P2P and Proxy and Tunnel category, applications listed below must be denied in the application filter policy. In case of CROS Micro App should be enabled in Application filter Policy.

    • DNS Multiple QNAME
    • OpenVPN
    • QUIC
    • DNSCrypt

    Firewall rule settings

    The same application filter policy (as configured above) must be applied to DNS Firewall rule as well, if there is any.

    For Psiphon Proxy

    1. HTTPs scanning needs to be enabled in firewall rule 
    2. Web filter policy with below categories denied must be applied to the firewall rule
      1. IPAddress
      2. None
      3. Parked Domains
      4. Spam URLs (Available only in XG)
      5. Anonymizers
      6. Spyware & Malware
    3. Please go to PROTECT-->Web --->General Settings under HTTPS decryption and scanning, tick mark  Block Invalid Certificates and Block unrecognized SSL protocols
    4. Allow only HTTPS, HTTP, DNS, ICMP, SMPT etc. services (essential services) on LAN→WAN; if Psiphon is connected even after following above 3 steps.

    Thanks and Regards

Children
  • Hi Bharat,

    I tested with all the settings you provided. I am able to block "Hotspot Shield" by blocking "www.hsselite.com" and blocking "Risk 4 and Risk 5 apps" in the applications filter. 

    Interestingly, the Applications Filter detects the Hostspot Shield as "Facebook Website". (Attached Screenshot). 

    Sometimes, Psiphon Proxy is detected by the Applications Filter and blocks it. Users are still able to use "Psiphon Proxy" and "Betternet VPN".



    Enlarged the screenshot
    [edited by: Vineeth Penugonda at 5:42 PM (GMT -7) on 23 Jun 2022]
  • I am able to block "Psiphon proxy" on android by blocking "ecxysudbqm.com", IP Address category, and enabling the Psiphon Proxy in the application filter.
    Other VPNs are getting blocked except the "Betternet VPN". Betternet VPN is able to connect using the 443 port.
  • The issue is that it appears to use the proxy from my investigation and it not blocked in the proxy. I have tried blocking IP addresses, urls but to no avail and none the addresses appear in log viewer.

    Still investigating

    Ian

    XG115W - v19 GA - Home

    1225v5 6gb ram, SSID, 4 NICs 20w - v19 EAP - on holiday.

    If a post solves your question please use the 'Verify Answer' button.

  • I tried looking at the traffic for Betternet VPN too. I will try to spin up an android virtual image and check the traffic flow for the application.

  • I have been working this issue most of the afternoon without great success. I broke my users access to the internet by blocking https in a specific rule that stopped the VPN. I had to use my CM access to restore connectivity. I have searched to see if I can identify the servers it uses to no avail. I d have a list of IP addresses but that continual grows so maintaining it would be a pain. Using betternet co or betternet.com does not return any results that get blocked except web access.

    It uses 443 to access the internet but how because nothing is logged, no error messages are created or displayed. I would have build a network analyser to hang across the output of the Mac mini to see what is happening. While it might be installed as betternet vpn it obviously does not identify itself as that when setting up the tunnel.

    Very frustrating.

    Ian

    XG115W - v19 GA - Home

    1225v5 6gb ram, SSID, 4 NICs 20w - v19 EAP - on holiday.

    If a post solves your question please use the 'Verify Answer' button.

  • I was able to block Betternet VPN on the iPhone once by listing all the IP addresses it connects to. I uninstalled the application and redownloaded it after a few weeks. It was able to connect again. Sophos is able to block Betternet VPN chrome browser extension but not the iPhone app. I will try it out on the mac mini and check too.

    Hope we come up with a working solution soon! :) 

  • So, in summary the classification is not complete, there is more to this vpn than Sophos appears to have tested.

    ian

    XG115W - v19 GA - Home

    1225v5 6gb ram, SSID, 4 NICs 20w - v19 EAP - on holiday.

    If a post solves your question please use the 'Verify Answer' button.

  • Yeah. Is there any way we can reach out to the team which works on detecting app IDs and updating the signatures? I would like to report that Hotspot Shield is being misclassified as "Facebook Website" and Betternet VPN is able to bypass the firewall even if it is added to the applications filter.

  • I did a packet capture of Betternet VPN. It is disguising itself as WhatsApp/Twitter/Facebook. This explains why Hotspot Shield was being detected as Facebook Website by the firewall. I have seen references to Hotspot Shield (Anchorfree) inside Betternet VPN's application folder.

  • Hi,

    thank you for the update, do you have a business licence, if so you can raise a support case and include you data capture?

    ian

    XG115W - v19 GA - Home

    1225v5 6gb ram, SSID, 4 NICs 20w - v19 EAP - on holiday.

    If a post solves your question please use the 'Verify Answer' button.