Many websites and services like Netflix started to block VPN connections to limit the reach of location-specific content. Restrictions in workplaces and schools made popular websites inaccessible and some governments made internet censorship a reality. Since VPN became the means to internet freedom, the connections made using VPN started to get blocked, but even using sophisticated internet censorship techniques it is still possible to bypass VPN blocks.
To bypass VPN blocks is not that difficult as it sounds and the tricks to do so vary from traffic obfuscation to changing protocols, using different ports, or even using additional software such as Tor Browser or Shadowsocks proxy to bypass firewalls that block VPN connections.
Table of Contents
Why do websites block VPN
Websites, governments, and services such as Netflix block VPNs to make content inaccessible. These blocks are there for a few reasons such as legal, copyright infringement, security, and as a means of control for ideological, moral, and economic reasons.
Studios that produce video content do their best to enforce the copyrights of the TV show or movie to earn their share. These copyrights are enforced by country due to market conditions and interest of the viewers, therefore popular services like Netflix were pushed to take action against the streamers who violate these copyrights by accessing the service from abroad.
The same principle is applied to any kind of content written, filmed, or otherwise produced. Due to violation of the law, many streaming services and other websites started to investigate and block VPN and proxy connections to the service if they discover you are not in the country you seem to be.
School, university and workplace rules
Enterprise businesses or educational institutions usually limit access to inappropriate content to make sure you are not distracted or otherwise offend your colleagues. However, the more practical reason is to secure private networks in order to protect the company’s financial or private information. Schools and workplaces take extra precaution to make sure no-one from outside can infect their private network by blocking VPNs. This way institutions reduce the risk to get infected by malware and make sure the employees or students are not distracted.
Political, ideological, and economic ideas are the main reason to censor and block websites country-wide. China is the most notorious country in blocking access to such popular websites like Facebook or Google. It uses advanced detection methods to block VPNs.
China, the United Arab Emirates, Iran, Iraq, and a few other countries even outlawed the use of consumer-based VPNs this way limiting access to information and preventing exposure of other ideas and controversial content.
How VPN is blocked
There are 3 main methods to block a VPN connection. The most simple and popular is to blacklist the VPN server’s IP address. Another one is blocking the port number used and the most advanced that is used by governments and ISPs is called a Deep Packet Inspection or DPI.
Blacklisting VPN IP address
Blacklisting IP address is one of the simplest ways to block a VPN connection. It is not that hard to detect which IP addresses belong to a VPN provider. There are even third-party lists of all IPs that belong to the popular VPNs. Streaming services like Netflix started to detect that a connection comes from the VPN server by measuring the amount of data transferred to/from a specific IP address.
For example, if multiple people are trying to stream connected to the same VPN server, they generate an immense amount of data. Such a big data usage is an immediate red flag for Netflix-like services and they block such connections immediately.
Port number blocking
Most VPN connections are established using VPN protocols that use specific port numbers. For example, PPTP protocol uses port 1723, or OpenVPN UDP protocol uses port 1194. These ports can be easily blocked by firewalls so that a VPN connection could not be established. IP blocking and port blocking are considered shallow packet inspection techniques, unlike the DPI.
Deep packet inspection
An advanced method to detect and block VPN traffic is DPI – Deep Packet Inspection. This technique is mostly used by governments or ISPs. It not only detects internet packet headers (IP address, port number, and protocol) but also analyses the insides of the internet packet data.
The detection methods vary in success but more and more sophisticated systems are developed. When discovered that a stream of packets contains specific traits related to VPN usage – then such connections are blocked.
To bypass VPN blocks providers try to hide and mask the encrypted traffic to make it look more general. They use various obfuscation methods and different port numbers that could circumvent the censorship.
How to bypass VPN blocks
Most of the techniques to circumvent the block of VPN is to obfuscate, stealth, and make the VPN traffic look general. There are simple tricks and advanced techniques to achieve that, and here’s a list of how to bypass VPN blocks:
1. Make a mobile data hotspot
This one is trivial, but effective when trying to access websites blocked by the workplace or college. Using mobile data or making your mobile device a hotspot is an easy way to bypass VPN blocks. Connections made using mobile data are outside of a restricted network this way allowing to bypass the workplace or school’s firewall rules. This trick, however, will not work country-wide since ISPs are regulated by the country’s law, so the websites blocked by the government will still be unreachable.
2. Change VPN server or even VPN provider
If you can not get around the VPN ban on services like Netflix you might want to change the server or a VPN provider. The best providers always monitor and renew their servers’ IP addresses so they constantly work with streaming services. Switching to the right server might be tricky since there are tons of servers to choose from. Or, if a VPN provider is not that good at unblocking such websites, it’s best to change it completely.
3. Change VPN protocol or port
Changing a VPN protocol or port number is actually easier than it sounds. It is almost always possible to select the options in the application’s settings screen. Some VPN protocols such as PPTP or IKEv2 use ports that can easily be blocked with a simple firewall. So the good choice would be to use OpenVPN TCP or SSTP protocols since they use a very common and widely used port 443 (SSL/TLS) that is hardly ever blocked. For more advanced users you can try to configure VPN app to use ports 2018, 41185, 443, and 80.
4. Use a VPN that has stealth or obfuscation technology
To make it as user-friendly and easy to use, the best providers implemented a feature to obfuscate and mask the VPN traffic. Using the stealth option allows the connections to bypass VPN blocks and avoid being detected by DPI techniques. These features work most of the time even getting around sophisticated firewalls used by such countries like China or the United Arab Emirates. However, with this setting the internet speed usually decreases, but well worth trying when visiting a restricted region.
5. Use a dedicated IP or custom VPN server
Many websites and services easily detect the immense usage of data or multiple connections coming from the same IP address. Luckily, there are VPNs who offer Dedicated IP addresses that assign a personal specific IP address dedicated only to you. Using such static IP circumvents the data usage detection systems as the traffic looks like single-user regular traffic.
The use of a custom-built VPN server would also have the same properties as having a dedicated IP address, but this is a way more advanced method requiring a lot of technical knowledge on how to build one. So if you’re a geek – build one, if not – go with a Dedicated IP address.
6. Use Tor Browser
The Tor browser is a specific kind of browser you can install on your device (requires admin rights). It is focused on security and allows internet traffic to be routed via the Tor network. It is configured in such a way that your internet packets’ IP address would change at least 3 times before reaching the destination this way masking your true identity and allowing you to browse anonymously. The trick here is that the last IP exiting from the Tor network changes every 15 minutes making it easy to bypass internet censorship.
7. Try Obfsproxy
Obfsproxy is anothertool developed by the Tor Project that is specifically used to stealth OpenVPN traffic. This tool was created to avoid being detected by DPI techniques, however not a hundred percent effective to bypass VPN blocks all the time. It is not that hard to use Obfsproxy, but you will definitely need to use a few command lines to install it.
8. Use Shadowsocks
Shadowsocks was actually developed in China and this software is considered illegal to use there. China’s Great Firewall uses DPI methods to distinguish protocols used by VPNs. Even with obfuscation technologies VPNs were sometimes blocked. Shadowsocks is somewhat similar to a VPN but it does not hide any online activity. It uses SOCKS5 protocol and routes traffic to a proxy server. All traffic using Shadowsocks looks like general HTTPS traffic.
Shadowsocks only encrypts VPN traffic, stealths it, but does not hide your identity. This is by far the most reliable way to bypass VPN blocks implemented by governments but it is not so easy to set it up. For it to work you actually need to have a Shadowsocks proxy server outside of the restricted region. One VPN that actually provides Shadowsocks protocol out-of-the-box is Surfshark.
9. Create an SSL/TLS Tunnel
Secure Socket Layer/Transport Layer Security are protocols that utilize a widely used port 443. Routing traffic via SSL tunnel adds additional encryption to already encrypted VPN traffic so it is not possible to detect that a VPN is used. You can make such a tunnel with a software called stunnel. There is no easy way to set it up and you’ll need to do some research on that.
10. Create an SSH tunnel
SSH (Secure Shell) connection is mainly used to transfer files to and from a server and mostly used within Unix systems as well as windows with a popular software called PuTTy. Like SSL it is not that straightforward to configure it requires some command-line knowledge.
11. Use Psiphon software
It is another open-source application that utilizes VPN, SSH and HTTP proxy technologies. It is used to bypass VPN blocks and internet censorship. Psiphon is mostly used on Windows and mobile devices. It is much easier to use Psiphon softwarethan create your own SSL or SSH tunnels. The app has a user-friendly interface and quite a detailed guide on how to use it with ease.
There are quite a few ways to bypass VPN blocks from the most simple to the ones that require technical knowledge. To unblock websites at the workplace or school is as easy as using mobile data, try Tor Browser, or change the port used by the VPN app. Using different protocols, dedicated IP, or simply change the VPN server or provider may unlock access to services such as Netflix or Hulu. More advanced methods such as using tools like Shadowsocks, Psiphon, or creating your own SSL tunnels are used to bypass firewalls and sophisticated VPN detection techniques implemented by governments.
CyberWaters is a mixed crew of cyber security enthusiasts with a keen interested in data privacy, security and technology behind it. We provide cyber security related content and give advise on best practices and tools how to stay safe and secure online.