There is сorporate network with Mikrotik CCR2004 as main router. Network clients are PC and mobile devices.
Standalone Pi-Hole DNS server is used for security purpose.
Pi-Hole blocks unwanted domains.
For successful Pi-Hole work there are some Mikrotik's setting:
1. Pi-Hole server is assigned as DNS server to all clients except Pi-Hole itself
2. All external (to WAN) forward traffic to port 53, 853 is blocking for all device except Pi-Hole server itself
3. Forward to udp 80,443 is blocked
4. Some popular "classical" VPNs are blocked too according to their specific parameters - port number, IP addresses, domain name.

This security scheme worked good enough until one of the employees installed the Adguard app on his phone to bypass the restrictions.
This Adguard app encapsulates so called"local VPN"

I installed same Adguard app at one of my testing Android device for learning how it works.
我把Mikr雷竞技网站otik - >防火墙>与行动”Snif损坏f TZSP" and I can capture my testing device in Wireshark.
I see all connection in Wireshark but I can't catch Adguard specific ones.
Is there the way to fight with such a local vpn?

Incorporate some MDM solution for company devices for managing installed software and configuration on them and deny personal other to connect on that network. Not sure there is a ultimate solution on MT that can block all kind of VPNs and proxies, unless you implement reverse logic - not to block something, but to allow only specific hosts/domains/IPs....

Also my understanding you need an application level gateway or some service (untangle comes to mind but they were bought out, so its Arista Now!

Also my understanding you need an application level gateway or some service (untangle comes to mind but they were bought out, so its Arista Now!

or Cisco Umbrella...

Adguard essentially reinvented and improved SSTP. But now it is adguard proprietary protocol instead of Microsoft proprietary protocol. I use SSTP for the exact same reason - for most firewalls it looks like a big HTTPS download. Adguard went even further and makes multiple smaller connections. IMHO not distinguishable from an ordinary Web browsing.

Anyway, as others pointed out, you would need a different device,whhich would have to decrypt the traffic. That isn't really an option on mikrotik.

Adguard essentially reinvented and improved SSTP. But now it is adguard proprietary protocol instead of Microsoft proprietary protocol. I use SSTP for the exact same reason - for most firewalls it looks like a big HTTPS download. Adguard went even further and makes multiple smaller connections. IMHO not distinguishable from an ordinary Web browsing.

Thank you for the hint about SSTP.
所以进一步寻找“检测sstp”导致another hint:

SSTP can be detected using a regular Mikrotik. It is enough to check for the presence of thesniheader in theclienthellopacket. If it is not there, we most likely have SSTP

None of clients of our network use SSTP, so I would like to block any SSTP traffic.
How to block SSTP practically using the"sni header"hint above?

Bad employer, bad.

None of clients of our network use SSTP, so I would like to block any SSTP traffic.
How to block SSTP practically using the"sni header"hint above?

Even if you somehow block this, how do you plan to block for example Shadowsocks + v2ray on 443 port with TLS1.3?

Let's say it can block all connections without SNI...
Now pretty much all Google & Co. are on TLS 1.3, so that would block everything...


P.S.: With a little bit of knowledge, and unblocked Google services, it is possible to bypass any firewall/filter without the slightest problem... (I'm not referring to DNS...)

Who owns adguard, the FSB?

Even if you somehow block this, how do you plan to block for example Shadowsocks + v2ray on 443 port with TLS1.3?

You can ask this from the IR government, they successfully blocked it.

They didn't block it for cheap.

No, What they did was putting a significantly higher price for services. So they can use our own F money for doing the F filtering.
They are cheap as F.

You can ask this from the IR government, they successfully blocked it.

By these comments herehttps://github.com/net4people/bbs/issues/171they are just throttling upload. I guess they are identifying large TLS traffic to single outside country endpoint (with maybe exclusion of some common safe domains) as suspect and then throttle upload to that endpoint which limits then vpn/proxy connection speed to point of uselessness.

I guess they are identifying large TLS traffic to single outside country endpoint (with maybe exclusion of some common safe domains) as suspect and then throttle upload to that endpoint which limits then vpn/proxy connection speed to point of uselessness.

IR has different types of censorship on different ISPs.

IR has different types of censorship on different ISPs.

Yes, depends what is used. I was initially mentioned proxy with protocol obfuscation, which is encrypted socks5 proxy protocol encapsulated into HTTP request (POST) over TLS1.3, which can't be detected as proxy connection exactly, but it can be suspicious due to amount of upload traffic to single service.

SSTP can be detected using a regular Mikrotik. It is enough to check for the presence of thesniheader in theclienthellopacket. If it is not there, we most likely have SSTP

How to block SSTP practically using the"sni header"hint above?

That is unfortunately not true. See packet from my SSTP VPN handshake which clearly shows SNI extension:The same will apply for any other TLS encrypted traffic, no matter what it is. TLS is standartized protocol for encryption, fully independent from the data inside. Be it video stream, website, large file download, vpn ... it will all look same.

How to block SSTP practically using the"sni header"hint above?

That is unfortunately not true. See packet from my SSTP VPN handshake which clearly shows SNI extension:
The same will apply for any other TLS encrypted traffic, no matter what it is. TLS is standartized protocol for encryption, fully independent from the data inside. Be it video stream, website, large file download, vpn ... it will all look same.

@anav was right concerning who owns Adguard...
I did some research and came to a clear conclusion: Adguard belongs to the russian intelligence services. FSB do not invest money in this system in vain, they need such a system.
If anyone doubt it, just look at what a powerful server infrastructure they have built. To do this, it is enough to look at the information on theotx.alienvault.comby domains:Most of servers are at cloudflare, but the key servers are interrorist state russia.
So I decided not to waste my time on Adguard and just blocked "cunning" user until he removedrussian crapfrom his phone.

Now you have identified one VPN that you do not like, and you may be able to block it in some way, but you will have to live with the fact that there are many different VPN providers, from "good" and "bad" guys, and that you will never be able to block them all.
So your original design assumption that you can block sites (for security or whatever) using a Pi-Hole DNS server unfortunately is no longer valid.