Local attacker is the hardest one to defeat. You will have to pass ALL traffic through a dedicated firewall box -- not use the WiFi on your gateway, use a WiFi mesh network or WiFi router instead. Then you can create a firewall rule to block all port 1194 traffic, or block the entire IP range the VPN provider uses directly. Netgate and Opnsense are free opensource firewalls, and will run on just about any retasked 64-bit PC. You'll need at least two Ethernet ports on it. Learning curve for you, but you can see the traffic then and deal with it. Various free add-ons like pfblockerNG and Snort can help you out too with known hostile sites/poor reputation.
The problem is you can run a VPN server on any port, so if one of their friends run one, or they use some random service that runs one on another port your rule doesn't work. There are other ways to bypass a parental controls too if that's the problem. SSH tunneling and socks 5 proxy services work just fine for that purpose too, and they crowdsource information specifically for this purpose and you can do that on any port as well. Then you are playing 'wack a mole' with firewall rules, but if your kid isn't very computer literate, it could work.
Also be aware that some anti-virus programs enable a VPN connection or proxy redirect so you are always connected through their network. That also bypasses parental controls. You could go full draconian and only allow access to specific sites/IP ranges. At that point, removing the equipment is a better option.
Also be aware if you use Xfinity gear, it broadcasts a public WiFi hotspot, so if they have an Xfinity login for email, they can connect to that, or your neighbors equipment running Xfinity gear and bypass your firewall entirely if they are in range. Look for a sudden interest in Yagi directional antennas or wire coat hangers. You can try to turn the public hot spot feature off, but it will turn itself back on on their gear. "Opt Out" is now another crippled function on their gateways.
flatlander3
Problem Solver
•
945 Messages
6 months ago
Local attacker is the hardest one to defeat. You will have to pass ALL traffic through a dedicated firewall box -- not use the WiFi on your gateway, use a WiFi mesh network or WiFi router instead. Then you can create a firewall rule to block all port 1194 traffic, or block the entire IP range the VPN provider uses directly. Netgate and Opnsense are free opensource firewalls, and will run on just about any retasked 64-bit PC. You'll need at least two Ethernet ports on it. Learning curve for you, but you can see the traffic then and deal with it. Various free add-ons like pfblockerNG and Snort can help you out too with known hostile sites/poor reputation.
The problem is you can run a VPN server on any port, so if one of their friends run one, or they use some random service that runs one on another port your rule doesn't work. There are other ways to bypass a parental controls too if that's the problem. SSH tunneling and socks 5 proxy services work just fine for that purpose too, and they crowdsource information specifically for this purpose and you can do that on any port as well. Then you are playing 'wack a mole' with firewall rules, but if your kid isn't very computer literate, it could work.
Also be aware that some anti-virus programs enable a VPN connection or proxy redirect so you are always connected through their network. That also bypasses parental controls. You could go full draconian and only allow access to specific sites/IP ranges. At that point, removing the equipment is a better option.
Also be aware if you use Xfinity gear, it broadcasts a public WiFi hotspot, so if they have an Xfinity login for email, they can connect to that, or your neighbors equipment running Xfinity gear and bypass your firewall entirely if they are in range. Look for a sudden interest in Yagi directional antennas or wire coat hangers. You can try to turn the public hot spot feature off, but it will turn itself back on on their gear. "Opt Out" is now another crippled function on their gateways.
(edited)
0
0
XfinityJanelle
Official Employee
•
380 Messages
5 months ago
@user_e4c2d3 Thank you for reaching out on the Xfinity Community Forums. Has the information posted by a community member assisted you?
0
0