A VPN provides many benefits, including unblocking geo-restricted content, stopping bandwidth throttling, and securing your data.

In addition, they prevent your internet provider from snooping on your communications. Though, one has to wonder if ISPs can block VPN connections if they choose to do so? In theory, if they are against using a VPN then they will probably have a problem with your use of it.

I don’t want to be a bearer of bad news, but yes, that is something they can do. We’ll discuss how they can go about doing that, and we’ll offer solutions and answer some pertinent questions.

How Do Internet Service Providers Block VPN Connections?

There are four situations in which your ISP might block your VPN connection, based on what we have seen:

  1. They could be Blocking the VPN Server’s IP Address

First, let’s talk about the most likely scenario. Sadly, there’s a lot of wrong information floating around online about this, and some people have actually claimed that ISPs cannot do this.
Don’t get us wrong, we’d prefer if they couldn’t. However, they are not prohibited from doing so. Remember that your ISP will always be able to see the IP address of the VPN server you are connecting to.

In order to stop you from accessing that IP address, your ISP would simply impose firewall rules that block traffic to that specific IP address.

When you connect to a VPN server, how does your ISP know?

When they check the destination of your connection, they usually see both an IP address and a DNS resolution (the name of the website). A server that only displays an IP address is likely to be mistaken for a VPN server – especially if the traffic is encrypted.

Additionally, they can use an IP lookup tool (such as IPinfo) to determine who owns the IP address. In this scenario, they’d probably guess they’re dealing with a VPN server if they see a data centre rather than a residential ISP.

How to stop your ISP from Blocking VPN Server’s IP Address

To solve this problem, simply connect to a different VPN server. By switching IP addresses, their firewall will not block your new address.
As a result, if your Internet service provider (ISP) blocks all IP addresses that the VPN company owns, you cannot use the VPN. In reality, they are unlikely to keep up with all your connected servers.

  1. They block the port that is used for VPN connections

Your ISP can also determine the VPN server’s port, just as they can see the IP address. Just as in the case of blocking access to an IP Address, your ISP can also block access to communications that run on specific ports. 

Some of the common VPN protocols use well-known ports: 

OpenVPN – 1194 UDP

Wiregaurd – 51820 UDP

L2TP – 500 + 4500 UDP

IPsec – 1701 UDP

Solution

Port 443 is the best choice. Your ISP cannot block the HTTPS port as it is one of the most vital ports. Basically, all your web access would be cut off if they did that.

However, not all VPN protocols support port 443. Fortunately, those that do are very secure. Most VPN providers will be able to supply you with a config file for OpenVPN, it will come in a .ovpn format.

  1. Using DPI, they can detect OpenVPN traffic and drop your connection

An ISP can take an in-depth look at your traffic using DPI, which stands for Deep Packet Inspection. Using OpenVPN (like so many others) makes your connection very vulnerable to DPI. Why?

DPI can detect OpenVPN encryption because its signature is distinctive. Using a packet sniffer like Wireshark, your ISP may detect OpenVPN, rather than TCP or UDP, as the protocol for your connection. They can simply drop the connection, or block it, as soon as they see it.

Solution

A solution to this problem is obfuscation. It is a VPN feature that allows OpenVPN traffic to appear as regular Internet traffic. OpenVPN packets are stripped of OpenVPN-related data and assigned port 443. 

Alternatively, you could use another protocol, though your ISP can still identify your VPN usage based on the port that are being used. If you have the option to choose high-level random ports, this can aid in the obfuscation.

  1. GRE packets show up when you use PPTP

Some users still prefer PPTP due to its fast speeds. Nonetheless, it is an easy target for any ISP due to its lack of security (don’t forget that its encryption can be cracked). However, its non-standard GRE packets can be easily identified. As a consequence, your ISP can easily block or drop your connection.

Solution

The obvious solution is to not use PPTP. There are other protocols that offer better security than PPTP, so they can all be used. We recommend trying OpenVPN, WireGuard®, SSTP, or IKEv2 instead.

FAQ’s

That is definitely possible. You just need additional VPN servers to set up a double or multihop VPN. The first server will still be visible to your ISP. By blocking this connection, the entire double/multihop chain falls apart.

It is difficult to say. The problem might just be a misunderstanding on their part, in which case you should give them a call to see if the issue can be resolved.

ISPs often block VPN connections for the following reasons:

  • There is a common misconception that VPN users do illegal things online.
  • Many people think that VPNs are used to download illegal torrents.
  • ISPs don’t like it when their customers bypass bandwidth throttling and use data past the capped allowance.
  • Government mandate forces ISPs to block VPNs.
  • Certain sites are censored by the government. Consequently, they also block VPNs to ensure customers aren’t able to circumvent their restrictions.
  • A VPN hides your browsing. They don’t like it. After all, that’s data advertisers could use.
  • Your ISP simply doesn’t handle VPNs well.

It’s true that you can use Tor to circumvent your ISP’s VPN blocking, but that’s only a temporary solution (and a very slow one at that).

What is the duration of this fix? As long as your ISP does not block Tor. Your Tor IP address is visible to them, so they can simply block it. If you are using another VPN or proxy to access the blocked initial VPN server, it will be the same.

Are ISPs able to block VPN traffic? Conclusion

The answer is yes. Most often, they block either the IP address of the VPN server or the port through which it connects. Sometimes, they may even detect OpenVPN traffic using DPI.
In most cases, it’s easy to bypass VPN blocks. The way to bypass them is already explained, but we’d like to hear your ideas as well. ISPs that block VPN connections – what do you do? Feel free to share your experience in the comments.

Please let us know if you enjoyed reading this article and think you have the skills to produce engaging content that our readers will enjoy. Learn how you can get involved with Apache-IoT by visiting our Write For Us page.