Pi-Hole is working well in blocking websites and advertisements. However, some of our students are very smart, they downloaded VPN services to their computers to bypass the pi-holes. I have regex VPN in the blacklist but because of the VPN, they managed to access websites we blocked. What is the solution for this?
Thanks
Block the VPN ports on the router. But then they will likely switch to WiFi Hotspot from their phones.
Is there a way to force clients (despite they are using VPN) to pi-holes?
No, there is not. Once the traffic from that client is in the VPN tunnel, it uses the VPN DNS.
You can't stop it all they need is 1 port out. So if you have 443, 80, or 53 open outwards which is likely. I regularly bypass VPN blocks using 443.
I would like to test dropping the 443, 80, and 53, how do I do that in the router? I own a USG
I don't think you understand me it's pointless. You have to have ports open otherwise how to you talk to the outside world. The usage of vpn can be somewhat hindered. Even If only 1 of ports 123,53,80, and 443 are open to the outside they still have a way to a vpn. I am not a network administrator or system administrator. I think If you had some sort of proxy intercepting all traffic you could accomplish what you want. I would look down that path
EDIT
TLDR: You need those ports open for your network to operate.
Dropping 443, 80 and 53 at the router would disable browsing an sites over http/https and stop all DNS.
This is not a pi-hole issue so I'm going to close this out.