Just out of curiosity, what are your stances/approaches to controlling student use of VPN apps that bypass content filters?
Historically this wasn’t a big problem for us since very few students understood how to setup and use a VPN service and even when they found one that was user friendly enough to gain popularity, we’d find its used IP addresses and block them with our ASA.
Now, it’s as easy as downloading a VPN app like BetterNet and simply taping Connect to bypass our inline web filter. Due to ease of use, it’s no longer a few technically apt students we have to worry about, a larger percentage of our student base appears to be using this.
Running a WireShark analysis, it appears to use a rotating pool of public IPs, so it’s not as simple as blocking a couple or a continuous range.
My stance is they should be blocked for students, due to its ability to bypass the web filtering. I would like to know, How are the students being allowed to install Betternet? My stance is that students should not be able to freely install Windows Applications or browser extensions/addons. In Windows domains, you can manage the users ability to install applications using active directory and group policy. If you use Google Chrome on windows, you can install the ADM or ADMX group policy templates (provided by Google) and make a GPO to manage how extensions get installed. In Google domains, like DrunkJoshMankiewicz said, you can use GAFE (Google Apps for Education) and go into the Google Admin Console and manage how extensions are installed to chromebooks. Firewalls become irrelevant if standard users can VPN or remote desktop out and easily bypass them.
We just encountered this within our system and LightSpeed. We ended up blocking p2p networks. Unfortunately, this affects much more than just VPNs such as Betternet. We’ve had to add P2P exclusions for our Meals Plus system, LINQ Software, etc. Apparently, this also affects Skype (Customer Portal)