Blocking browser based VPN extensions

Please tell me how you are going about blocking extensions that allow VPN connectivity inside a browser.

I am not looking for installed software solutions, as those do not cover devices on my network that like to just show up. Looking for something more global.

Example. Browsec for chrome. One of many VPNs available for free with pretty impressive speed. I’ve packet captured the client machine, found the IP range this extension reaches out to, and blocked huge CIDR ranges with a layer 7 rule on my firewall. Then it simply moves.

Thoughts?

If you use GAFE, whitelist or blacklist the extension in Chrome Admin → Device Management → Chrome Management → Apps & Extensions → Allowed Apps and Extensions

If it’s just Windows chrome browser without users signed in, take a look at setting up some GPOs using the Chrome administrative templates:

In particular Computer Configuration → Policies → Administrative Templates - > Google → Google Chrome → Extensions → Configure extension installation blacklist.

I would make my best effort at blocking what I can. After that I’d raise an issue with administration. Any student or staff member caught engaging in this sort of activity at the very least would be violating the AUP. At that point, in my opinion, it’s an administrative call.

If you have a GAFE organization: Set your Chrome policies for all student-level sub-orgs for whitelist only on apps & extensions.

If you don’t use GAFE and/or people are using Chrome without logging in (avoids policies): Use Chrome GPO to set apps/extensions to whitelist only.

This has brought VPN usage at our district down to just about absolute zero. Obviously make sure you have appropriate executable policies in place to prevent local VPN clients/proxies.

I believe I may have found a simple solution. Many VPN Apps have a program that runs in the background and then modifies the browser Proxy settings to redirect traffic to the VPN. If you are on a managed Chrome or Chrome device, you should be able to set the proxy settings to “Never use a proxy.”

When the VPN App starts, it will run the background program but fail to redirect the traffic to the VPN thereby rendering it ineffective.

It may not work for all situations, but it may be worth a try before building a whitelist.

the firewall at our main site (fortigate 500D) does deep packet inspection which breaks this sort of thing, we tested browsesec specifically and it didnt work

Anyone have any insight as to how to achieve this on Macs client side? My Google Fu has led me to enforcing policies via profiles to blacklist * extensions.
I have the policy to blacklist all extensions on the Google Admin side but on the Macs, we have plain vanilla installs of Chrome. A kid could sign in with any google account and have free range at extensions.

Could anyone kindly share a sample profile or plist?

Thanks for this. I am due for a new security appliance at the end of this school year, and having something that does deep packet inspection is on my list. As I suspected, this is likely the only way to globally break this service as I would prefer.

This is exactly where I am, actually. Rather than having client based blocking, though, I need something more global. Some browsers are able to be downloaded on the mac and run without an admin password, and have VPN software built into them now. It needs to be something the content filter handles, IMO… not a client policy.

Secondary to that, I want something more globally handled like this, so a student can’t bring a parent laptop to school, install a VPN, plug in an ethernet cable, and get to porn. Not that this happens now, but it definitely is a scenerio that could play out.

I’m going to look into something that does deep packet inspection for next summer when it’s time to switch out our content filter. The Meraki hasn’t been bad, but it’s certainly not the best.

I found a template for a mobileconfig file in case anyone is interested. PM me and I can send over my profile that blacklists all extensions on a Mac.