i have a vague idea of how tcp and udp connections work, and a decent idea of how the https protocol works.
but i have no idea how vpns actually work. 1) can someone explain to me in simple enough terms that i can understand with only this amount of prerequisite knowledge, but detailed enough that i can understand the mechanism by which vpns actually function?
can someone explain to me the tools that my network manager may have at hand to be able to block me from accessing vpns?
yes, i want to get around the block. dont come at me for it, i live in a remote area with no other kind of access to the internet(mobile data etc) and my school isp is the only way for me to access. im only justifying it because for some reason people on the internet seem to get mad about bypassing blocks set by network administrators.
follow up question to the previous one, 3) if i set up my own custom vpn on a vps, would it be impossible for my isp or network manager to do anything about it.
I block the VPNs for a 1000-person company. Here’s how we do it:
First off, none of the answers here are close to the mark yet. Moving VPN traffic to port 443 is a cute trick in theory because you can’t mass-block https traffic except this idea fall apart practically: I don’t need to block requests over 443 if I’m blocking DNS requests at Layer 3 and Layer 7. Layer 3 blocks on routers will stop packets from being delivered except to addresses that we’ve allowed. Layer 7 DNS blocks will cover most of the script kiddie shenanigans since it is an application-specific blocklist.
So we bind DNS on any device that authenticates to our network. Then we proxy all DNS requests through a filtering program. Finally, to stop shenanigans like “fire up a VPN client from a browser tab,” we lock down installation of browser extensions and application installs.
People don’t try to blast through computer security; they try to go around it. We just take away as many ways around it as we can.
Some of the other comments are a little too pessimistic. It’s easy for a network admin to block a naive VPN protocol like OpenVPN, sure, but assuming they want the internet to keep working normally for the majority of users they will have a tough time blocking protocols specifically designed to evade network censorship. (I’m developing a VPN to get around China’s firewall, and believe me they have much more sophisticated techniques than your school’s IT department.)
Essentially a VPN creates an opaque tunnel to somewhere outside of your local network, then sends all of your internet communications through that tunnel. An example of a simple tunnel is an encrypted UDP connection on port 1194, which is what OpenVPN uses by default. In this case blocking the traffic is simple - the network just blocks all UDP traffic from port 1194. Since this port is almost exclusively used by OpenVPN, they don’t have to worry about accidentally blocking anything else (no collateral damage).
Stealth protocols are designed to mimic or actually use commonly used connection methods for their tunnel. For example, traffic can be tunneled through a TCP connection on port 443, which is how communication is done for almost all websites, so the network can’t just block everything by default or no websites would work for anyone. More advanced blocking might then look at the details of the TCP connection to try and determine what higher level protocol is being used - if the traffic looks like a regular HTTPS connection to a website, it will be let through, otherwise it might be blocked.
So that’s how network admins try to block VPNs based on protocol analysis, which is probably the simplest and most common method. A few other techniques your network admin might use are:
IP blocklists: Basically the admin can block all traffic to IPs that are known VPN servers. This isn’t very effective nowadays with dynamic IPs.
Traffic analysis: Someone else mentioned that if all of your traffic goes through the VPN tunnel, that is a major red flag. Because usually your traffic is going to a bunch of different servers from different programs. The solution to this is something called split tunneling, where you only use the VPN for things that are specifically blocked (a specific website, for instance), and use the regular network for everything else.
Active probing: Basically the network checks if suspicious IPs are actually VPNs by pretending to be a VPN client and attempting to connect to them. If the server responds like a VPN, the IP gets blocked.
Allowlists: In this case the network is set up to block everything by default, and only lets through a few allowed protocols or connections to allowed IPs. So for example the network may only allow HTTPS connections to Wikipedia. This will be the hardest to defeat but is also impractical to implement because almost everything will be blocked for all users.
There are lots of tools. Most of these VPNs have know addresses or ports. Easy to block. Every network manager monitors their traffic. If they want to block your VPN they are going to block your VPN. You may get around it for a few days, maybe weeks. They will see it, they will block it. This is not to be mean, just blunt: It’s their network, it’s their rules. Running your own may get you more time, if your really want to try and hide it, Use your VPN for sparingly (no torrents) for things you want to hide and turn it off for thing you don’t care if they see.
To answer your last question, it depends on what technique(s) your network admin is using. If they are using IP blocklists, sure that will work. If they are using protocol analysis it probably won’t work with a naive protocol like OpenVPN but probably will work with something in the Shadowsocks family.