Good day.
I followed below post.
https://forum.openwrt.org/t/vpn-datacenter-ips-github-how-to-incorporate/206513
When I am blocking TCP 443 to prevent VPN access, HTTP traffic also get blocked. Is there any way to avoid this?
Will appreciate your answer.
are you sure it's not HTTPS ?
deep packet inspection.
or block the VPN targets instead.
For DPI, I was tried to go through the snort/ Zeek. Both need resources (networking skills and installing space) that I don't have.
When I blocked TCP 443, nothing can reach to internet.
Is there anything else/simpler ?
you were told the simpler method ...
you could try blocking UDP on port 443, but it'll at least partially break internet for your clients.
Not the clients, my kids 
I just wanted to prevent them to access VPNz
clients as in devices, not people ...
Many vpn protocols can be configured on any port. This means that a block on port 443 may or may not actually block a vpn connection. (This notwithstanding the practical issue of also blocking https traffic).
Now you can Imagine depth of skills..
so, no hope?
as @psherman pointed out, they'll just switch port, especially of they bounce of a friends VPN server, where they could rotate the port on a daily basis.
set up rules for what they are allowed to access, instead of not access.
what exactly are you trying to stop them from doing ?
the VPN is just a counter reaction to the obstacle you've created.
Not without a fairly sophisticated dpi filter that can identify and filter the type of traffic rather than blocking ports. Thst said, even thst may not be foolproof as there are obfuscation methods that could also be used. It very much depends on how tech savvy and/or determined your kids are.
Alternatively, you could use dns filtering to attempt to block connections to known commercial vpn service. Still not foolproof, but maybe easier to accomplish, assuming commercial vpns are the likely method your kids would try to use.
With VPN they are bypassing ad-gaurd and may reach to everything, which is unmonitored and not healthy for young brains.
I was just preventing them to do so.
Target was to give them filtered (ad guard) access to internet.
Specially during the vacation, tried to limit them to few educational websites, so created a new connection, but my eldest one, instead of studying, used VPN to bypass everything.
Any tutorial for DPI filters (which can be installed on home-based routers)/ DNS filter, that you can recommend. I tried to go through otherwise I will give-up and will be more focused on counselling.
Try this:
great, kid got a bright future in IT 
I got another suggestion for you, but I've never tried it myself, it's very high level, so basically everything Accenture ever deliver, I could charge you $300/hr for it.
set up a SNI proxy, like sslh, resolve all DNS requests to the IP of the proxy.
configure everything not containing SNI to be dropped.
it can probably be circumvented by encapsulating the VPN traffic in HTTPS packets though.
Perhaps you could try to block an HTTP/HTTPS proxy and block port 443 to force your kids to use that proxy.
On the proxy, you can block by domain name. And, if my memory serves me right, you can block CONNECT feature to prevent VPN connections.
Yeah, the proxy would basically by a MITM. IIRC, this requires installing the SSL certificate of the proxy on all client devices, otherwise you can't make any more HTTPS connections (HTTPS requires CONNECT).
Use Banip with a blocklist of VPN providers e.g.: https://github.com/X4BNet/lists_vpn
It does not prevent everything but makes it more difficult
thought OP was already doing it ...
On the other hand tell kids to share with you if they get into mind-bending videos about eggplants and melons. Kind of you rised them and together you can keep evils of world away.
