How to Bypass VPN Blocks - A Guide

In this article, we discuss ways to bypass VPN blocks. Using a VPN is a great way to beat internet censorship. Under normal circumstances, all you need do is connect to a VPN server located somewhere that is not censored, and you have uncensored access to the internet.

The problem, of course, is that this feature of VPNs is well-known. And as a result, those who would censor your internet also try to block the use of VPNs to bypass their censorship...

Internet censorship

Internet censorship comes in many shapes and sizes. Common examples include:

Government censorship for political and/or social reasons

Classic examples include the Great Firewall of China and state censorship in Iran. The UAE has also recently hit the headlines for criminalizing the use of VPNs and the like to bypass its censorship restrictions. For more information about using a VPN to bypass censorship in these countries see our VPN for UAE and VPN for China guides.

Government censorship for copyright reasons

It is becoming increasingly common for governments to block access to websites that are deemed to promote or facilitate copyright piracy. This form of censorship is particularly common in European counties, with the UK leading the charge. Russia has also recently ramped-up its efforts to block access to pirated content.

Work

Many workplaces try to prevent employees from accessing content that might upset or offend other colleagues (see Not safe for work). Or which is likely to distract them from work (such as chatting on social media). Such restrictions are usually quite understandable in the context of a working environment.

Schools and colleges

It is common for educational institutions to block access to web content. When the pupils are minors, this is arguably justified. It is less so, though, at universities and higher education establishments where the attendees are adults. Indeed, the notion of censorship at higher educational institutions is more than a little ironic!

Porn, social media, and websites linked to copyright infringement are usually the main targets. It is not uncommon, however, for political content to be censored.

Censored internet

Even more worrying is denying young people access to important information relating to social issues such as drug advice, sexual health, racial and/or sexual discrimination, bullying, and more.

Websites that block VPNs

It is becoming increasingly common for media streaming websites to block viewers who use VPNs bypass geo-restrictions placed on their services. Prime examples include Hulu, US Netflix, and BBC iPlayer.

Netflix tries to block VPN users

The reason for such blocks is almost always because copyright holders want to maximize their profits by artificially segregating the world market.

VPN blocks are put into place for a reason, and the people placing them usually take a dim view of efforts to evade their blocks.

That said, even in countries where VPNs are blocked (such as China and Iran), their use is almost never actually illegal. This means that evading VPN blocks will almost never get you into trouble with the law.

A notable exception to this general rule is the UAE, which has recently announced that anyone caught using a VPN risk a fine of up to 2 Million UAE Dirham (over US$500,000) and/or prison time. How rigorously this is enforced in practice remains to be seen, but caution is strongly advised when trying to evade VPN blocks in the UAE.

Of course, even though using a VPN and bypassing VPN restrictions are not usually illegal, per se, the content you access when using the VPN may be.

Safety considerations

When using a private WiFi or LAN network, the owner of that network has every legal right to restrict what you can do when connected to their network. This includes school, university, office, and home networks, etc.

The chances of getting caught evading VPN restrictions on such networks is usually quite slim, but can potentially result in suspension, sacking, and other disciplinary measures.

It is, therefore, worth carefully considering whether the benefit of evading VPN blocks justifies the potential problems, should you get caught.

How VPN blocks work

VPN use can be prevented in a number of ways, and organizations that are serious about blocking VPNs often combine techniques.

Note that with the exception of China (where all internet traffic to and from China is restricted to just 3 government controlled access points), government VPN blocks (and censorship) is almost always actually performed by ISPs at the government’s instruction.

Common tactics for VPN blocks include:

Blocking access to VPN websites

If you can’t access a VPN provider’s website then you can’t sign-up for its service or download its software. This form of censorship usually extends to VPN review websites (such as ProPrivacy.com) and other websites dedicated to methods of evading censorship.

Although rarely the only tactic employed, blocking access to VPN websites is a very common addition to other methods used.

Blocking IPs of known VPN servers

It is not too difficult to discover the IP addresses of the VPN servers used by VPN providers. And then block access to them.

This is by far the most common method of preventing VPN use, and when used together with blocking access to VPN websites, is usually the extent of most VPN blocks.

Given the large number of VPN providers out there, and the difficulty of keeping track of changing server IP addresses, most organizations settle for banning just the more popular VPN services. This means that users of smaller and less well-known VPN services can often "slip under the radar”.

Port blocking

By default, OpenVPN uses port 1194 (UDP, although this can be easily changed to TCP). Other VPN protocols use different ports. A simple but effective way to block VPNs, therefore, is to use a firewall to block these ports.

Deep packet inspection (DPI)

Deep packet inspection is "a form of computer network packet filtering that examines the data part (and possibly also the header) of a packet as it passes an inspection point.” Various technologies are used for DPI, with varying levels of effectiveness.

Data encapsulated by VPN protocols, however, is pretty easy to spot using even fairly basic DPI techniques. The content of the packets remains securely encrypted, but DPI can determine that it has been encrypted using a VPN protocol.

Using DPI to detect VPN traffic is definitely a step up in seriousness on the part of the organization performing the DPI.

Simple Solutions

Use a mobile connection

Ok, so this won’t work for evading government blocks, but it will work schools, colleges, at work, etc. And it is often by far the easiest solution.  Rather than using a VPN to access content blocked on the local network, just access it on your mobile device using your mobile (cellular) connection.

This does mean that you will have to pay your usual mobile data charges, but it allows you to check your Facebook account without with little effort and little chance of getting into trouble for it.

Try a different VPN provider and/or servers

As already noted, keeping track of all IP addresses belonging to all VPN providers is a momentous task. Switching to a lower-profile VPN service is therefore often enough to evade blanket IP blocks. Even if some IPs belonging to a particular VPN blocked, simply changing to different ones run by the same provider might work.

Some VPN providers regularly recycle their IP addresses. This makes keeping track of the changes and blocking the new IPs a major headache. This tactic is often referred to as a game of "whack-a-mole”. It is worth asking your provider if this is something that it does.

Not many VPN providers currently fully support IPv6 (Mullvad is the only one I know of). This is almost certain to change, however, as new IPv4 addresses become unavailable. IPv6 hugely expands the number of IP addresses available. This means that as IPv6 becomes more widely adopted, simple IP blocks will become less and less effective.

Roll your own VPN

A more extreme but highly effective option is to run your own VPN server and then connect to it from the censored location.

As the VPN server belongs to you, this does not provide the usual privacy benefits of using a commercial VPN service. It does, however, provide you with your very own unique VPN IP address, which will not be blocked.

OpenVPN installed on a VPS

You can setup a home PC to act as your personal VPN server, or rent and configure a VPS (which is also great for geospoofing). If rolling your own VPN on a VPS seems too hard, PrivatePackets.io can do the heavy lifting for you.

Dedicated IP addresses

Some VPNs offer dedicated IP addresses. This means that instead of sharing an IP with many other users, you are assigned a unique IP (much like if you roll your own VPN ). Because this IP is unique to you, it is very unlikely to be blocked by websites such as Netflix and BBC iPlayer. As with rolling your own VPN, though, it does not have the privacy benefits of using a shared IP address. Check out our VPN for iPlayer page for more information about unblocking British content.

Come prepared

When visiting places such as China, one of the most effective tactics is simply come prepared! Signup for a VPN service and download its software before your visit. Even when access to access to VPN providers’ websites is blocked, VPN connections themselves are often not.

If you have failed to come prepared (or never had the opportunity), alternative censorship-busting technologies can be used to access VPN websites. You can then sign-up and download their software.

Tor network

Tor is better at providing anonymity than it is at censorship-busting. This is because of the ease with which access to Tor nodes can be blocked. Tor bridges can be used to bypass IP blocks on Tor nodes, and obfsproxy (see below) can be used to hide Tor traffic from Deep packet inspection.

The Tor Browser

Shadowsocks (Chinese: 影梭)

This "is an open-source proxy application, widely used in mainland China to circumvent Internet censorship.” It is an open source anti-GFW tool/protocol/server created by a Chinese developer. Basically it’s a SOCKS5 proxy that is available for most major platforms.

Surge

This is similar to Shadowsocks, but is only available for iOS.

Lahana

Derived from Tor, Lahana is designed to solve Tor’s problem with easily blocked exit nodes by making it "stupidly easy” to setup new nodes. Lahana was designed to defeat censorship in Turkey, but should also work well in many other censorship situations.

Psiphon

This uses a combination of VPN, SSH and obfuscation technologies to bypass censorship. If you encounter a block when using VPN, for example, you can switch to SSH or obfuscated SSH (SSH+) instead. One of the best things about Psiphon is that if you find the Psiphon website blocked, you can request the software be sent to you via email.

Psiphon Windows SSH

In fact, most VPN providers will also be happy let you sign up and download their software via email. Just ask.

Change port numbers

Many custom VPN clients allow you change the port they use. This is a good way to defeat port blocking. The two most popular choices of port to use are:

TCP port 80 - this is the port uses by all "normal” unencrypted internet traffic. In other words, it is the port used by HTTP. Blocking this port effectively blocks the internet, and is therefore almost never done. The downside is that even the most primitive DPI techniques will spot VPN traffic using this port.

TCP port 443 – this is the port used by HTTPS, the encrypted protocol that secures all secure websites. Without HTTPS no form of online commerce, such as shopping or banking, would be possible. It is therefore very rare for this port to be blocked.

And as an added bonus, VPN traffic on TCP port 443 is routed inside the TLS encryption used by HTTPS. This makes it much harder to spot using DPI. TCP port 443 is therefore the favored port for evading VPN blocks.

Many VPN providers offer the ability to change port numbers using their custom software (especially when using the OpenVPN protocol).

Even if yours does not, many VPN providers do actually support OpenVPN using TCP port 443 at the server level. You can switch to it with a simple edit to your OpenVPN configuration (.ovpn) file. It is therefore worth asking your VPN provider about this.

Another option is to use the SSTP protocol (if available), which uses TCP port 443 by default.

Advanced solutions

Some VPN providers offer more advanced VPN blocking solutions designed to defeat more sensitive DPI techniques. Such techniques analyze packet size and/or timing to detect OpenVPN’s rather distinctive handshake, even when hidden behind HTTPS.

Very sensitive (and therefore also very expensive, and rarely used) DPI may even detect VPN use when using the tactics outlined below. There are 2 basic approaches to advanced VPN concealment:

stunnel / SSL tunneling

stunnel is an open source multi-platform program that creates TLS/SSL tunnels. TLS/SSL is the encryption used by HTTPS, so VPN connections (usually OpenVPN) routed through these TLS/SSL tunnels are therefore very difficult to tell apart from regular HTTPS traffic.

This is because the OpenVPN data is wrapped inside an additional layer of TLS/SSL encryption. As DPI techniques are unable to penetrate this "outer” layer of encryption, they are unable to detect the OpenVPN encryption "inside”.

SSL tunnels are usually made using the stunnel software. This must be configured on both the VPN server and your computer. It is, therefore, necessary to discuss the situation with your VPN provider if you want to use SSL tunneling (a setup guides is available here for reference).

AirVPN SSH SSL tunels

AirVPN is the only VPN provider I know of to offer stunnel functionality "out of the box” using its custom open source software. I am not otherwise familiar with Anonyproz, but it can be configured for stunnel, and other providers might also offer this feature.

SSH tunnelling

This is similar to SSL tunneling, except that the VPN data is wrapped inside a layer of Secure Shell (SSH) encryption instead. SSH is used primarily for accessing shell accounts on UNIX systems. Its use is mainly restricted to the business world, and is nowhere near as popular as SSL.

As with SSL tunneling, you will need to talk to your VPN provider to get it working.

 

Obfsproxy (and similar technologies)

Obfsproxy is a tool designed to wrap data into an obfuscation layer. This makes it difficult to detect that OpenVPN (or any other VPN protocol) is being used.

It has been adopted by the Tor network, largely as a response to China blocking access to public Tor nodes. It is independent of Tor, however, and can be configured for OpenVPN .

To work, obfsproxy needs to be installed on both the client’s computer (using, for example, port 1194), and the VPN server. However, all that is then required is that the following command line be entered on the server:

obfsproxy obfs2 –dest=127.0.0.1:1194 server x.x.x.x:5573

This tells obfsproxy to listen on port 1194 (for example), to connect locally to port 1194 and forward the de-encapsulated data to it (x.x.x.x should be replaced with your IP address or 0.0.0.0 to listen on all network interfaces). It is probably best to set up a static IP with your VPN provider so the server knows which port to listen in on.

Compared to stunnel and SSH tunneling, obfsproxy is not as secure. This is because it does not wrap the traffic in encryption. It is, however, somewhat easier to set up and configure, and has a much lower bandwidth overhead since it is not carrying an additional layer of encryption. This can be particularly relevant for users in places such as Syria or Ethiopia, where bandwidth is often a critical resource.

Some providers may use alternative technologies that are similar to obsfproxy. BolehVPN , for example, uses XOR obfuscation for its "xCloak" servers.

Addendum

A note on the UAE

The above advanced solutions to VPN blocking will probably prevent VPN use being detected by DPI techniques (although the United Arab Emirates has been investing heavily in advanced internet surveillance systems).

It is believed, however, that UAE ISP may also maintain an extensive database of VPN server IPs. They may be easily able to determine that you are using a VPN simply by the IP you connect to (much as websites such as Netflix do).

In reality, it seems unlikely that you will be prosecuted just for using a VPN to watch Netflix in the UAE. If you piss the authorities off in some way, however, the fact that you use a VPN may give them a dangerous weapon to use against you.

We always recommend extreme caution when considering using VPN in UAE.

A note on websites that block VPN users

This form of blocking can be challenging to overcome. Choosing a lower-profile VPN provider, or one that regularly recycles its IPs, can be effective. Trial and error is the key here.

We strongly advise that you take full advantage of any free trials and money-back guarantees that are on offer. This will allow you to find out for yourself which VPN services work for the content you want to stream.

Remember that a service which works today could be blocked tomorrow. So it is a good idea to pay for a month’s subscription at a time. This is almost always more expensive than paying annually. But if the service becomes blocked (through no fault of its own), you will not be left with a year’s subscription that is useless to you!

It might also be worth looking at Smart DNS solutions, instead of using a VPN. Smart DNS services can also be blocked, but this is more difficult to do and is less likely to happen. Fewer Smart DNS services are banned than VPN services.

Some VPN services, such as AirVPN, use fancy DNS routing. This allows you to connect to services such as US Netflix and iPlayer, even when you are not connected to servers in the US or UK (respectively)!  This is not always 100% effective, but is nevertheless impressive.

Conclusion

The vast majority of VPN blocks are fairly easy to overcome using a little lateral thinking. Even where sophisticated and highly sensitive Deep packet inspections techniques are employed, technologies such as stunnel and obfsproxy are highly effective.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

41 Comments

Laura
on January 14, 2022
Reply
Hello there, thanks for the article! I am not a tech savvy (or VPN and DNS savvy, for that matter) and I have a problem I have spent hours trying to figure out, before I cal my (paid) VPN provider to complain. I have used Surshark for three years. It has always been ABSOLUTELY USELESS to stream my Prime membership videos from the USA to Europe, or my Netflix membership, which is really frustrating, as they told me they could bypass the blocks (a blatant lie) I spend a lot of time in Germany now, so I canceled my service with Amazon and Netflix in the USA and got Amazon Prime in Germany, but I am fed up with the fact they dub most films instead of using subtitles, and they do not have access to the wide array of programs we have in the USA, despite paying a higher price for Prime. However, that is not my main concern. I need to have easy access to my bank accounts, and this is difficult when I am constantly changing location. Both, transactions with my USA credit cards and my log ins in the banks websites get constantly blocked because they detect a foreign VPN. This has caused me major headaches, including a terrifying situation once I had to be checked into a hospital in Asia, and it was impossible to log into my bank account after they blocked my credit card. Surfshark was good enough to log into my banks, and my newspaper subscriptions without having to waste time with captcha and confirm my identity etc, up to a month ago. I always used the kill-switch function in case my Internet connection went down. My Internet service provider was then German o2, and we used a hotspot. However, two things happened last month: 1) I updated Surfshark 2) we changed email providers to O2, hoping for a faster internet connection and better phone service (we now realize we made a mistake, but got into a 2-year contract) Ever since, Surshark using the kill-switch triggers the internet to stop working completely. If I switch the "kill-switch" off, but remain connected to New York via my VPN, and then do a speed test with https://www.speedcheck.org/, at the foot of the page, where it reads "security" it says, in red "connection unproteted". Now, how is that possible if supposedly Surfshark is on? Is my PAID surfshark service leaking my IP address when, even as I appear, connected via their servers? Is Surfshark not working or is it 1&1 (my new internet provider) blocking my Surfshark service, and that's why I get no internet if I use the Kill-switch option? Needless to say, both 1&1 and https://www.speedcheck.org/ SELL THEIR OWN VPN SERVICES. I consider it a serious conflict of interest if I am paying for the vpn service of my choice and my internet provider in free-market Germany is blocking it. So, there is that. But I also wonder whether any of the new ad-ons that I have installed from Mozilla, could be causing the issue. I know this is a long message, but I would sincerely appreciate your opinion. As I said, I am not an expert on these subjects at all, and I could only understand 50% of your article. Thank you so very much for any insights you can provide and for the information you share in your website. Laura.
https://cdn.proprivacy.com/storage/images/2021/08/andreas-squarejpg-avatar_image-small.png
Andreas Theodorou replied to Laura
on January 17, 2022
Reply
Hi Laura, it sounds like you're in a bit of a pickle here. To make life a bit easier, here are a few things to do/keep in mind: 1. A lot of services that sell VPNs will often have "you are unprotected" unless they detect that you are accessing from one of their own IP addresses (it's a marketing tactic). A common way to check whether this is legitimate is to look at the IP and see if it matches your unprotected IP address. We have tools to help you check for this stuff, and I'd recommend having a look at our leak-testing tool. This will help you confirm whether Surfshark is leaking. 2. It's worth checking your connection settings: make sure you're using OpenVPN for the most tried and tested secure connection (use OpenVPN (TCP) if you're downloading, and (UDP) if you're streaming. I'd still recommend using the kill-switch to help keep your privacy secure, but I'd say try a different server (closer to you physically) as this will help improve your stability and speeds. I'd also recommend looking into a static/dedicated IP in America as this will help with things like online banking as it helps you appear as though you're coming from the same place every time. 3. I'd recommend getting in touch with SurfShark's technical support (if you haven't already). They'll be able to give you the best direction on their service and should hopefully help you resolve your issues. If not, please don't hesitate to get back in touch and we'll try and direct you to the best alternative services. Best of luck, Andreas
Mike N
on May 3, 2020
Reply
VPN is not only used for privacy. For us here it is used to circumvent / fix Sprintlink's way too agressive messing with our normal traffic: early tcp connection, e.g., which they prevent way too agressive, makes that we cannot retrieve email from one of the email servers we use. Obviously after a couple of pop3s/imaps connections they decide to just send early resets and not forward the traffic to the remote server at all. Running the exact same through openvpn (the Internet firewall system uses a tunnel to a VPN server at a hosting provider VPS slice) corrects the situation: sprintlink does not see what is going on, all is UDP. Laying our own pipe through a bad provider using UDP VPN fixes everything that can impede TCP or other connection oriented protocols. That is probable the most important use of a VPN for us. Sure, now Sprint does not see our traffic at all. Also our 4G modems to not see anything but a point to point UDP stream, and all tries of Sprint to bypass by generating tons of ipv6 addresses on these does no longer work. End systems, workstations, phones do not know about the VPN so it cannot be bypassed by pesky Android or Apple phone software, on top of it 'salted' with spying provider software and network configurations. Streaming: who cares, we do not use services that detect our VPN and deny service. Their loss, and probably way better for us: the reason for that can only be bad things they intend to do instead of just providing the service we pay them for. Mike
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to Mike N
on May 4, 2020
Reply
Hi Mike. Thanks for that insight. I assume from the ISPs you mention that you are based in the US?
Malik Mehrose
on February 19, 2020
Reply
Need solutions for ISP (Government) Blocked Internet . A best VPN for Android.
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to Malik Mehrose
on February 24, 2020
Reply
Azharmir
on February 16, 2020
Reply
Sir no one trick are work in Kashmir (India) please give us a simple and easy way trick for unblock firewall please help we are facing very difficult in internet connectivity please help & sir which vpn is faster for us
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to Azharmir
on February 24, 2020
Reply
Hi Azharmir. All I can suggest is to try the different methods discussed in the article. I would be surprised if none of them work, but overcoming internet censorship in places like Kashmir probably requires more than a "simple and easy way trick."
Show More Got Something to Say?

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

Large brand with very good value, and a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service