What's new

Has anyone been able to block ProtonVPN on Asus router?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

sese123

New Around Here
I'm trying to block ProtonVPN from connecting using the Network Services Filter but I have no idea what is the Destination IP or Port Range - where can I find this information?
 
I assume you mean block access to the their VPN servers, NOT just the their website.

That's NOT going to be easy given there are most likely 1000's of possible servers, and probably different ports depending the VPN type (PPTP, OpenVPN, WireGuard, IPsec, etc.). They could even be using port 443 for all I know, so you can't just block that across the board.

In short, this sounds like something way beyond the capability of the Network Services Filter if you need a broad means to block access to a VPN provider's numerous servers.

P.S. A more likely possibility would be to block the few ports they're known to use across all their servers from a specific source IP, under the assumption the issue if *one* user in your househould. But again, you can't reasonably block port 443. And they could also just manually change their source IP address. That's why having a bit more background on exactly the problem you're trying to solve might be helpful.
 
Last edited:
Yep - you've pretty much summed it up nicely - my kids are circumnavigating parental controls using the free ProtonVPN service - I know that this limits it to 3 servers, I just need to find those 3 servers' IP addresses and block 'em, like I did for Google DNS (which is much easier as it's publicly available information and widely distributed) - I can't seem to find ProtonVPN's IP addresses.
 
Looks like you have to open an account to find out the IP addresses of the free servers. I assume they support configuration on the router, which would expose the server IP addresses and/or domain names.
 
You could also look at the "System Log - Active Connections" and just block them as they show up. Should be pretty easy to spot.
 
That's why it might just be easier to get your hands on the config files. Too many servers. If they share a common base (e.g., 199.199.199.x), you could convert them to a class C network (e.g., 199.199.199.0/24) and limit the number of rules necessary. Or perhaps they're using a small number of less common ports that you could block w/o being specific as to the server IPs.
 
Do you only want to block ProtonVPN or is it OK to block all VPN's?

I have no idea how well this works, but NextDNS apparently has a feature to block bypass methods:

Prevent or hinder the use of methods that can help bypass NextDNS filtering on the network. This includes VPNs, proxies, Tor-related software and encrypted DNS providers.

(I use NextDNS, but not this feature)
 
Free/TCP (protonvpn.com, protonvpn.net):

jp-free-01.protonvpn.net
(01-11)
nl-free-01.protonvpn.net
(01-128)
us-free-01.protonvpn.net
(01-49)

1.png
 
How do I block 1010 IP addresses on the Asus admin page?
Asuswrt-Merlin and skynet (firewall script)
A good combo would be Diversion (for domains and ad-block) and skynet for ip blocking and known malware and so on.
Easy to add lists to those 2 awesome scripts.

Or pick out what you need from those lists.
Also could try cleanbrowsing-family dns server on those devices that try to use vpn and so on, it prevent some vpn and proxies.
 
Last edited:
I'm trying to block ProtonVPN from connecting using the Network Services Filter but I have no idea what is the Destination IP or Port Range

That's kind of their business, and if Russia/Putin/China can't stop them, probably Merlin isn't going to be able to either.

my kids are circumnavigating parental controls using the free ProtonVPN service - I know that this limits it to 3 servers, I just need to find those 3 servers' IP addresses

It's more than 3. Again: Russia.

And you have smart kids (seriously), there are lots of other options they can use.

And the problem here is social, not technical.

  • How old are your kids?

  • Who is paying for the internet connection and electricity and water and food?

  • What are the consequences for them for not following rules? Because if they work for a corporation with security policies some day, or the military, and violate them, they are gone. On line security is a big deal, and depending on their ages, can really be a problem depending on what they are doing.
Regardless, one free option:




However


Other options: you can lock Windows PCs down, a limited user account (like corporate PCs), you can hire an MSP to make their machines school/learning only. Probably can do with chrome PCs as well (but I am not sure).

Regardless: issue is not the router, it's the children not following rules. Not following them can lead to good things (think Apple PCs, bittorrent, Linux, etc) but today it's important children are careful.

And: source of the problem is not the router or 8.8.8.8
 
If you know the kids are bypassing it, and are not happy about it, then get their MAC addresses and throttle their speeds down via locked IP address..
Then when they start complaining, real quick I assure you, you can have a heart to heart talk..
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top