Draytek 2860 in Office (Dial in VPN Tunnel Setup) Fixed IP address
Draytek 2820 at Holiday let (Dial out VPN Tunnel Setup) Dynamic IP address
Location: UK

This VPN Tunnel is required and important in both direction.

However, it is becoming more and more evident that guests accessing the internet at the holiday let are doing so using VPN client software. I may be paranoid but (IMO) people using such software are doing so to hide dodgy activities such as streaming copyrighted film etc. I'm sure that this software can be used for any form of illegal activities too.

So what happens if: A Police authority contacts me and say "You've being doing this online and i'm arresting and charging you for this, that or the other?"

I currently have a single 50yr+ old gent using a vpn server in Nepal who is seriously hammering the use of the internet, 134gb in just 4 days!!!!!! I can only guess and speculate what he is upto, the MAC address of the device being used is unidentifiable (No Vendor).

Me No Appy!

Question: Can i block or at best restrict the use of VPN client side software whilst maintaining my use of the VPN tunnel setup between the two routers?

Can i "Turn Off VPN Passthrough" (Vigor 2820) somewhere, somehow but maintain my own use of the VPN setup between Office and the Cottage?

If i block UDP activity on ports 80, 443, 500 and 1701 what impact will this have on my use of the routers.... My access to both routers diectly through the VPN to devices such as CCTV, mapped drives and Heating systems etc?

How do i block / restrict the use of VPN clientside software at the cottage without blocking or restricting my use of my own VPN and the services i use it for such as access to mapped drives in the office from the cottage and the access to CCTV and the heating system at the cottage from Office.

A couple of things to do first which you really should have in place regardless.

1) Keep a comprehensive list of client names and dates.
2) Have in place an Acceptable Use policy.
3) Make sure your clients sign the Acceptable Use policy as part of the let agreement.
4) If you detect activity that contravenes your AUP you can block access.

All of this will help you if the plod come knocking.

John.

Thank you Anaglypta,

These are things i do anyway, the only one i cannot do is get them to sign an Acceptable Use policy as part of the let agreement as bookings are taken through a third party letting agent on my behalf. In the properties "Welcome Folder" i do have additional T&C's for them to read an abide by. Not always read and often ignored.

But as always regardless of the info contained within these T&C's thay do as they please anyway in many ways.

Digressing and off topic, some guests think that it is acceptable to turn the heating up to 40 degrees on the hottest day of the year, open all the windows wide open and go out all day!!!!!!!!! If somethings not bolted down it will go walkies too.

A few weeks ago one guest "accidently" took ALL the towels and linen home with them!? How on earth does someone do that? I had to travel 120 miles to get them back myself, should of seen there faces when i knocked at the door with baseball bat in hand Not Joking.

Anyways, if it's possible to serverly restrict or at best block VPN software whilst maintaining my use of my own inbuilt VPN tunnel that would be great. Just need to work out how to achieve it.

Hi akwe-xavante, you've not specified which type of VPN you have setup at your office site but you could add the required ports to a VPN service group on your 2820 at you holiday let and create one LAN -> WAN firewall rule allowing outbound connections to your office fixed IP address and the service object and a second LAN -> WAN firewall rule (lower down the list) that blocks all outbound connections using the VPN service group. The connection to your office will be allowed by the first rule and connections to other VPN providers will be blocked by the 2nd

You can block some VPNs by setting up an APP Enforcement Profile in the CSM configuration options. The VPNs appear under the 'Others' tab in the profile configuration. I've found this to be easier than setting up specific firewall rules.

You then need to reference the profile in an outbound firewall rule for the router.

akwe-xavante wrote:
I can only guess and speculate what he is upto

There are perfectly legitimate uses for a VPN, one of which maybe to watch live tv streamed from his home country, BBC iPlayer, etc that are geo-restricted. If you're more concerned about bandwidth usage/data quantities you should look at creating bandwidth quotas on a guest WIFI SSD or VLAN rather than brute force blocking VPNs. As an advocate of online freedom and optimal security I always appreciate being given the ability to dial-out to a VPN for online banking, accessing my home network and accessing geo-restricted web content