Is your VPN blocked at school, work or your favorite streaming platform?
Virtual Private Networks are the perfect tool for unblocking content and staying secure online, but that makes them targets for firewalls and blacklisting too.
There are several reasons your VPN service might be blocked. You’ll learn why you’re VPN is blocked and the most effective methods to bypass VPN blocks.
Best VPNs to bypass VPN Blocks
These are the best VPNs for bypassing firewalls and vpn blocks. They offer advanced features that helps them evade firewalls, packet filtering and other VPN-detection technologies.
- NordVPN – Obfuscated servers and VPN-over-Tor
- Private Internet Access – Stealth protocol & smartDNS
- IPVanish – Obuscation, Huge IP address pool
- Cyberghost – Obfuscated servers
- VPN.ac – stealth protocol
Why are VPNs blocked?
There are several reasons VPN traffic might be blocked on a network, service, or website.
These are the most common reasons.
1. School & Work
Schools, universities and employers often block VPN traffic. There are a variety of reasons they might elect to do so. In general in boils down to a few things:
- Distraction – If your network admin blocks social media apps and streaming sites to keep you focused at work or school, it makes sense to block circumvention technologies as well.
- Security – Because VPNs are encrypted, packet filtering technologies like DPI don’t work. This can prevent a cybersecurity risk, especially at the office.
- Liability – Some VPN uses can have legal risk, such as torrenting copyrighted files.
2. Licensing & Copyright
Many streaming services try to detect and block VPN usage. Netflix, Hulu, and Disney+ are a few examples of streaming apps with anti-VPN technology.
Content licensing is incredibly complicated and usually has different contracts for each geographic region. Because VPNs let you access content from multiple regions, they’re often targeted by streaming platforms.
VPNs may also be used to evade restrictions on account sharing by people that don’t live in the same location. This is something Netflix is cracking down on recently, asking account holders to pay for their shared accounts.
Fortunately, many VPNs have built workarounds that evade Netflix’s detection technology. Even better, such usage isn’t likely to be illegal, merely a terms of service violation.
Government censorship is widespread outside of western democracies. You’ve no doubt heard of the ‘Great Firewall of China’. Numerous authoritarian regimes around the world attempt to limit access to information as a form of control. This extends to VPN blocking, which can be used to circumvent firewalls.
China isn’t the only country doing this. Russia, Belarus, Iran, Iraq and Turkmenistan are a few examples of countries that have declared VPN usage illegal. Others like Turkey, China, UAE and Venezuela are using firewalls and blocking technologies instead.
4. Fraud & Abuse
Bad actors use proxies & VPNs for DDOS attacks, fraudulent credit card purchases, online theft and other forms of fraud. They use the anonymity and database of IP addresses to commit crimes.
Even though this is a tiny minority of VPN users, many financial and e-commerce sites have taken steps to block VPN connections, especially for users that aren’t logged in.
Examples of sites that have (or currently do) limit VPN traffic:
- Banks (blacklisted IP addresses)
- Forum sites
- Payment processors – Stripe, Paypal, Braintree
But here’s the good news…
Blocking VPN traffic requires identifying VPN traffic. Fortunately, there are several techniques you can use to disguise VPN traffic, making it almost unblockable.
How VPNs are Blocked
Network admins use multiple techniques to block VPNs and other encrypted traffic. These are the tools you’ll see most often:
VPN protocols like OpenVPN often run on the same default ports: 443 for TCP and 1194 for UDP traffic. If a firewall blocks these ports entirely, any VPN running on exclusively on those ports will be blocked as well.
Fortunately, full port blocking isn’t used very often, especially for port 443 which is also used by all SSL traffic (the encryption that protects all secure websites).
Bypass port blocking: Switch to a different tunneling protocol or non-standard port.
Deep packet inspection (DPI)
Even though VPN data packets are fully encrypted, they still contain metadata the tells intermediaries (like your ISP) where to forward them to.
Some VPN protocols even use default data packet headers that allow firewalls fingerprint VPN packets.
Firewalls use advanced software to perform this analysis. IT professionals call this Deep Packet Inspection (DPI) which can analyze the type and destination of every data packet traversing the network.
Deep packet inspection is what allows your ISP to tell the difference between youtube, web browser, VPN, skype or any of 1000+ other types of traffic. DPI is how a network can throttle, restrict, or even block certain types of traffic.
But here’s the key: If you can disguise your VPN traffic as regular web browser traffic, you can make it impossible for a network to block your VPN (unless they’re willing to block all https browser traffic. Not likely).
Bypass DPI: Use stealth protocols to obfuscate packet headers and circumvent fingerprinting.
Blacklisted IP addresses
VPN services rent huge pools of IP addresses which are shared among users with active VPN connections. Often these IPs are from the same ‘c-block’ of IP addresses, e.g. 100.65.192.1, 100.65.192.2 etc.
Services like Netflix attempt to identify which IP blocks belong to VPN traffic and then block those IP’s from streaming. Smaller companies can use 3rd-party IP blacklist databases provided by data brokers and cybersecurity consultants.
Blacklisting is the primary technique used by web-facing services and websites to block VPN traffic since they don’t have access to the raw packet data (like your ISP does).
Bypass IP Blacklisting – Switch to VPN servers, use dedicated IP addresses, use a VPN with integrated SmartDNS
How to Unblock a VPN
To combat VPN blockades, VPN providers have developed sophisticated workarounds to circumvent nearly every technology used by firewalls and websites to detect VPN traffic.
It’s important to choose the correct circumvention technique to match the blocking technology being used and the type of service or firewall that is blocking VPN traffic.
Recommended circumvention techniques:
- Switch server / IP address
- Change the VPN protocol or port
- Use obfuscation (stealth protocols)
- Use SmartDNS
- Get a dedicated IP address
- Change DNS servers
Change VPN Servers (new IP address)
Works for: sites and apps that block VPN usage. If it’s a streaming service (e.g. Netflix) you’re better off using SmartDNS.
If you’re getting a VPN error from a specific website, service or app, there’s a good chance your IP addresses is in their blacklist database.
Sometimes, simply switching VPN servers will do the trick, which should put you in an entirely new block of IP addresses. Companies like NordVPN and ExpressVPN offer well over 100 unique server locations.
It’s a good idea to use a server location that matches the app’s visitor demographic. So if you’re visiting a US website, use a server based in the USA. Your Lithuanian IP address looks suspicious.
You may have to try a few different locations until you find an unblocked IP address. If you’re still blocked, try clearing your browser cache & cookies or using a different browser altogether.
Works for: Firewalls that block specific ports or VPN protocols (work, school, public wi-fi, in-flight)
By default, most VPN apps use the OpenVPN UDP protocol on port 1194. OpenVPN is pretty obvious with its footprint and is easily blocked by even basic firewalls.
If your VPN app offers it, try switch to OpenVPN TCP which usually runs on port 443 (the same as HTTPs web traffic). This makes it harder to block with port-based blocking.
If that fails, switch to a different protocol altogether. L2TP/IPSec is a good backup option, though you may have to setup a manual connection to use it. Recently, many VPN providers are offering the Wireguard protocol which isn’t targeted by as many firewalls as OpenVPN and is harder to fingerprint.
VPN providers are aware that some ISPs/networks are blocking VPN traffic. That’s why they invented ‘Stealth’ VPN technology.
A stealth VPN can disguise/scramble your VPN traffic so it’s either not identifiable as VPN traffic, or even better — disguised as regular TLS encrypted web traffic.
Here are the two tried and true techniques to unblock your VPN service on almost any network:
Obfuscation (stealth VPN)
Works for: Firewalls that detect VPN traffic (ISP, School, Work, public wifi)
Protocols like OpenVPN don’t have to use default ports. Nor do they need to use the default packet headers that make them vulnerable to Deep Packet Inspection.
Lots of VPN apps now include stealth protocols or other obfuscation techniques that help disguise VPN traffic and make it harder to block.
Enabling this is usually as simple as turning obfuscation on in the VPN software (as with IPVanish) or switching to an obfuscated server (NordVPN).
VPNs can use multiple Obfuscation techniques, such as:
- changing default packet headers
- Add additional SSL encryption (disguise OpenVPN traffic as https traffic).
- Route through an encrypted proxy (e.g. ShadowSOCKS)
Some companies have even built stealth protocols from the ground up. Vypr VPN offers their excellent Chameleon protocol (based on OpenVPN) which even works to bypass the Chinese great firewall.
Obfuscated Servers: Other companies have dedicated servers with anti-blocking technology. All you have to do is a choose a compatible server in your VPN apps server selection view. NordVPN and Express VPN are two companies with obfuscated vpn servers.
Also read: The Best stealth VPNs
Works for: streaming services like Netflix, Hulu, NFL Sunday Ticket, HBOMax
If you want to access websites and streaming services like Netflix, you’ll need more than a simple VPN connection. These services use IP-blocking blacklists, network heuristics and other sophisticated strategies to detect VPN usage. Simply switching IP addresses isn’t going to cut it.
Instead, choose a VPN that uses an integrated smartDNS proxy to bypass VPN-detection algorithms. In fact, you don’t even need to use a VPN at all. Services like ExpressVPN’s mediastreamer DNS can be configured directly on your router, PC or mobile device.
SmartDNS works seamlessly behind the scenes and uses a secret pool of non-banned IP addresses for the initial authentication checks when you access a compatible streaming platform. It’s an elegant way to bypass VPN blocking.
Static / Dedicated IP Address
Most VPNs use pools or shared IP addresses, where you’re sharing a single IP address with dozens of other users. This type traffic often appears suspicious to websites and makes it easy to identify which IP blocks belong to VPN providers rather than residential traffic.
Some VPN services offer dedicated IP addresses, where you get your own unique IP that belongs to use you. These IPs are unlikely to be blacklisted and won’t have suspicious usage heuristics that you get with shared IPs.
Static IP addresses are usually a paid upgrade ($3-5 per month). VyprVPN even lets you deploy your own dedicated VPN server to a cloud VPS server which you can access using their app.
Switch to Mobile Data
Instead of using a firewalled wi-fi connection, just user your mobile data from your smartphone. You can even use the hotspot functionality or USB tethering to share your internet connection to other devices. This is perfect for streaming to your laptop at school if the school network is blocking VPNs .
Also read: How much data does a VPN use?
If your VPN doesn’t provide its own secure DNS servers, you’re likely using the default DNS provided by the network you’re connected to. These could leave you vulnerable to VPN blocking, even on simple consumer router models.
Instead, you can force your device to use 3rd-party (free) DNS services such as GoogleDNS (220.127.116.11, 18.104.22.168) or Cloudflare (22.214.171.124, 126.96.36.199).
This technique will only bypass the simplest of firewalls, but it’s a completely free tweak (and good privacy practice) so it’s worth a shot.
Also see: this list of Free DNS servers.
Advanced Obfuscation Techniques
If you’re trying to circumvent a sophisticated firewall, the above methods to circumvent vpn blocks may not work. In that case, you can try one of these advanced obfuscation techniques.
VPN over Tor
NordVPN is one VPN provider that offers a VPN server that tunnels your VPN through the Tor onion network. This is a network of encrypted, anonymous proxies that help obfuscate the VPN data packets themselves, not just the headers.
Tor was built from the ground up as an anti-censorship and privacy tool, and it makes it nearly impossible for an endpoint or middle-man to identify the original source of the traffic.
In our testing, Tor routing is quite effective at bypassing VPN blocks.
VPNs with VPN-Over-Tor Support
ShadowSOCKS is like a lightweight version of Tor, but doesn’t rely on a 3rd-party network of volunteer proxy nodes. Instead it’s a client that allows user (or VPN services) to tunnel to an encrypted proxy server over SSH. ShadowSOCKS can effectively transport and obfuscate UDP traffic such as OpenVPN.
Compared to Tor ShadowSOCKS offers faster speeds but may be less effective at bypassing the most advanced firewalls because it isn’t resistant to active probing.
Nevertheless, it’s proven highly effective at bypassing the Great Firewall and other national blockades.
Supported VPNs: Private Internet Access now includes a Shadowsocks option directly in their VPN app.
How to know if your VPN has been detected?
Websites that blacklist VPN usage are pretty transparent about whether they think you’re using one. For example, Netflix displays the famous ‘Netflix Proxy Error’ message if they detect your VPN connection.
Other streaming apps aren’t quite so blatant but usually display an error message to the effect of:
“This content cannot be streamed in your region”– Love, Hulu
And finally, some sites display no message whatsoever, they simply deny access. For example, I found that my online bank account would reject all my login attempts when connected to a certain VPN service.
Summary and additional resources
We’ve learned 3 different ways to unblock your VPN on any network, and get through any firewall.
The easiest solution is often the best, and you’ll find 90%+ success by using either OpenVPN on port 443, or a VPN with built-in obfuscation technology.
And if after exhausting all options you still find yourself blocked, then go with obfsproxy and Tor as the ultimate unblocker.
More useful articles and guides:
- Learn how VPN encryption works
- Why your passwords AREN’T strong enough
- The best VPN-capable wireless routers