VPN Blocking: How to Circumvent?

[Zarathustra[H]]

So, I am a huge privacy advocate. I refuse to use any network if I can't connect to my VPN.

I don't have anything to hide, and I'm not doing anything illegal, but I also don't want to subject myself to identity theft, compromise my financial safety, and being spied on, even if it is anonymized for advertising / economic gain, it just does not sit right with me.

Thus, it is with great alarm that I have seen many WiFi networks lately have started using VPN blocking technologies.

Sometimes I just can't connect, other times disconnections are frequent. With some of these blocks, switching to my own home VPN server (not a known VPN server) and setting it up to use port 443 so traffic blends in with https requests helps, but not always.

To me this is unconscionable, and ought to be illegal, as you are subjecting your users to being targets online.

I have read of the techniques used by the "great firewall" in China, and how the Chinese have figured out clever ways to fake out the VPN blockers the Chinese government uses. I am presuming corporate users in the U.S. use some sort of similar technology. I'd imagine there is some sort of commercially available filter you can buy to block VPN users.

Question is, how do you trick them out and get around them like the Chinese do? It is sad that we have to go to extreme lengths to get our rights to privacy in the "free" United States, but more and more we are left with no other option.

Is anyone aware of any good guides?

 

[Nicklebon]

So you're asking for help to circumvent the TOS/security settings/will of the network owner? Staff member or not, get bent!

 

[k1pp3r]

To me this is unconscionable, and ought to be illegal, as you are subjecting your users to being targets online.

Why? You are using a service that someone else provides, if they want to block, limit, or charge you for said service, they can.

Sorry, but that is life.

 

[SvenBent]

rights to privacy in the "free" United States, but more and more we are left with no other option.

If you want freedom you need to move to a 1st world country.
However i do agree its seems weird for the wifi setup to block for VPN especially considering the risk about WiFi. But you are living in acountry that cares more about dollars and not humans so rights are often not worth anything unless they go hand in hand with earning money.

Contact the provider of the service and inform about the issue.

 

[Zarathustra[H]]

So you're asking for help to circumvent the TOS/security settings/will of the network owner? Staff member or not, get bent!

Why? You are using a service that someone else provides, if they want to block, limit, or charge you for said service, they can.

Sorry, but that is life.

I have zero respect for any system operator that does not have the privacy and security of their users in mind when setting up their Network, and will take it as my crusade to counter anything they can put in place and make it available to anyone who can use it, and I will feel completely justified in doing so.

What they are doing is not just wrong, it ought to be illegal.

Using open WiFi is generally considered a risk, and the only way to avoid that risk is to use a VPN. By blocking VPN's they are pugging people using their networks at risk, and that is just wrong.

 

[fairlane]

I'm not aware of any ability that circumvents an ISP's blocking of VPN services. Unfortunately you are at the mercy of your ISP. Unless you can change to one that doesn't block vpn services, I don't think there's anything you can do. You would be risking being terminated from your ISP if you could and were found out. Considering that there usually aren't many choices in ISP's (I don't know where you live obviously) to go around, you may leave yourself out in the cold if they terminate your service.

 

[Ocellaris]

What they are doing is not just wrong, it ought to be illegal.

Using open WiFi is generally considered a risk, and the only way to avoid that risk is to use a VPN. By blocking VPN's they are pugging people using their networks at risk, and that is just wrong.

You are an adult, just don't use the network if you don't agree to the terms and security offered.

 

[Nicklebon]

Using open WiFi is generally considered a risk, and the only way to avoid that risk is to use a VPN. By blocking VPN's they are pugging people using their networks at risk, and that is just wrong.

You do realize that using "open wifi" is no different than plugging in to an open ethernet port from an end user perspective right? Unless your certificate store has been compromised TLS is just as safe as it is on a wire. The question is rhetorical because it is clear you lack any understanding and are just parroting noise that you've heard. Wifi is more a risk to the operator than to the user. Grow up and stop whining like a child. Also, you need to not be be a staff member on this board.

 

[k1pp3r]

I have zero respect for any system operator that does not have the privacy and security of their users in mind when setting up their Network, and will take it as my crusade to counter anything they can put in place and make it available to anyone who can use it, and I will feel completely justified in doing so.

What they are doing is not just wrong, it ought to be illegal.

Using open WiFi is generally considered a risk, and the only way to avoid that risk is to use a VPN. By blocking VPN's they are pugging people using their networks at risk, and that is just wrong.

This goes both ways, as a "free" service provider, the said provider has the right to protect themselves against "users" utilizing their network and or VPN's to download copyright or other protected media.

It's not all about you, and you don't know if any AMP is utilized at the network edge or any other security measures taken by said provider.

If you don't like it, get a verizon hotspot which allows you to use a VPN over it and avoid "Free" services.

 

[Zarathustra[H]]

You do realize that using "open wifi" is no different than plugging in to an open ethernet port from an end user perspective right? Unless your certificate store has been compromised TLS is just as safe as it is on a wire. The question is rhetorical because it is clear you lack any understanding and are just parroting noise that you've heard. Wifi is more a risk to the operator than to the user. Grow up and whining like a child. Also, you need to not be be a staff member on this board.

Correct. SSL Content is still protected, and non-SSL content is less common these days since Google started downranking sites that did not use SSL, but privacy is still a concern, as a third party could theoretically monitor URL's and monitor visited locations.

 

[SJConsultant]

Correct. SSL Content is still protected, and non-SSL content is less common these days since Google started downranking sites that did not use SSL, but privacy is still a concern, as a third party could theoretically monitor URL's and monitor visited locations.

VPNs are blocked to protect the operator of the free wifi service from leeches who mask themselves behind VPNs while doing illegal activities. If you don't agree with what the operator of the free service is doing, then don't use their service.

Unless SSL decryption is utilized, then only the TLD is viewable and not the full URL.

SSL decryption is a semi-intrusive process that would require you to install the Wi-Fi provider's root SSL certificate. It is not an invisible process and would raise red flags for someone with your concerns.

 

[Nicklebon]

Correct. SSL Content is still protected, and non-SSL content is less common these days since Google started downranking sites that did not use SSL, but privacy is still a concern, as a third party could theoretically monitor URL's and monitor visited locations.

You should have just stopped at the first word, hung your head in shame and resigned. No; you had to continue your infantile diatribe. You left out block content they deem inappropriate which is more often than not the intent of monitoring . It is their network and their right to do so. If you don't like it go home back to your parent's house where their ISP can do the same as can their third party party vpn provider ... etc. No matter what you do and how many wrappers you put on it someone will see it. Even on TOR if someone wants to do so badly enough they can trace it all back to the source.

Also, since when is it acceptable to even discuss admin circumvention on this forum? That is seriously unethical bull shit!

 

[Elf_Boy]

What I found working with people when doing internet support for ATT was the VPNs block using WIFI not the other way around.

 

[goodcooper]

I have zero respect for any system operator that does not have the privacy and security of their users in mind when setting up their Network, and will take it as my crusade to counter anything they can put in place and make it available to anyone who can use it, and I will feel completely justified in doing so.

What they are doing is not just wrong, it ought to be illegal.

Using open WiFi is generally considered a risk, and the only way to avoid that risk is to use a VPN. By blocking VPN's they are pugging people using their networks at risk, and that is just wrong.

what you don't seem to realize is that what YOU'RE DOING could be construed as illegal behavior...

an operator of any network has the right to enforce whatever rules it wants on ITS network... if you're unhappy with it, DO NOT CONNECT TO IT

this is what mobile data is for...

you've got this weird notion that you're owed something here, a right to your privacy on a network that doesn't belong to you, fed by service that you don't pay for, when nobody owes you anything

the self-entitlement here is what's unconscionable

 

[Cmustang87]

Correct. SSL Content is still protected, and non-SSL content is less common these days since Google started downranking sites that did not use SSL, but privacy is still a concern, as a third party could theoretically monitor URL's and monitor visited locations.

Incorrect. You cannot see the URL unless you are decrypting the SSL traffic, which requires implementing some kind of MITM inspection. Web filters and firewalls, for example, are able to do this but requires certificates to be deployed so they are trusted MITM; but it can get messy. You can almost consider this impossible on public wifi somewhere, unless you enroll the device with a profile, etc.

Before SNI was implemented, you could not even see the hostname being requested in the packet.

I think you should read a bit more on SSL: http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html

Unless SSL decryption is utilized, then only the TLD is viewable and not the full URL.

I by no means intend to split hairs, but I'm going to go ahead and do it anyway . You can see the hostname being requested at the start of the handshaking process (thanks to SNI). Obviously you already know the difference between a TLD and a hostname since we've had some great threads in this forum together - so I'll just use this example as a clarification point for any other readers.

What's hilarious is that the OP Zarathustra[H] seems to think they have the right to connect to an open hotspot, and can consume it in anyway they'd like as if it was their own. That is a ridiculous level of entitlement.

You are connecting to a public wifi. This requires you to acknowledge their terms of usage, up to and including the security risks you are adopting by doing this. While you might be doing something completely innocuous, Joe Schmoe is chowing down on his panini, downloading torrents while soliciting sex to children online at the table next to you... on the business owner's internet.

For you to claim that an organization blocking VPN should be illegal is utter bullshit.

If they want to, they could block Google for all I care... but this would cause me to just not use their wifi as it wouldn't be particularly useful. This would be egregious, but they'd be well within their right to do it.

But I'm not going to go and complain about how they are allowing their users to use the internet.

 

[Eickst]

The owner of the network has the right and almost an obligation to protect itself and others from inappropriate use of its network. If you are hiding all of your traffic behind a VPN, they can't do that.

Tether to your phone.

 

[SJConsultant]

I by no means intend to split hairs, but I'm going to go ahead and do it anyway . You can see the hostname being requested at the start of the handshaking process (thanks to SNI). Obviously you already know the difference between a TLD and a hostname since we've had some great threads in this forum together - so I'll just use this example as a clarification point for any other readers..

No worries

Over the past few years working in education, explaining technical topics to non-technical people requires a hefty lack of nuanced details.

 

[Cmustang87]

No worries

Over the past few years working in education, explaining technical topics to non-technical people requires a hefty lack of nuanced details.

I hear ya - I worked as a sales engineer working primarily in education for about 3 years.

 

[farscapesg1]

Buy a hot spot and use that instead of trying to circumvent the security being used by the network owner?

 

[DrLobotomy]

1. Fire up Kali Linux

2.___________________

3.___________________

4. Profit.

 

[TordanGow]

Is anyone aware of any good guides?

No guides and I didn't read the whole thread but two ways I can think of off the top of my head:

1. Push OpenVPN through an SSH tunnel such as one using Putty (providing SSH works)
2. Use Obfsproxy to encapsulate your traffic in a HTTPS wrapper, this is different than just changing your OpenVPN port to 443. If the service provider is using DPI then it can pick out OpenVPN traffic despite the use of SSL on a typically SSL encrypted port. This tool wraps your VPN traffic so it looks like legitimate HTTPS traffic.

There are other ways, but these are probably the easiest.


EDIT: to those claim he is breaking the law I don't think this is the case. It's up to the provider of a service to block an activity, if they don't it's reasonable to assume it's allowed. How do I know that they don't want me to send VPN traffic over an SSH link? On the other hand I don't agree that blocking services like VPNs should be illegal either. Their free service, their rules, but if their service doesn't block it then it's free game IMO.

EDIT2: here's an article on what I'm talking about. https://community.openvpn.net/openvpn/wiki/TrafficObfuscation

 

[Dead Parrot]

Step 1: Ask the operator of the WiFi network if they are intentionally blocking VPN connections. Their 'tech expert' may have mis-configured something.
Step 2: If answer to #1 is yes, ask why.
Step 3: If you don't like the answer to #2, politely tell the manager that you won't be visiting their establishment any more and why. Also, if it is a chain, email corporate and complain.

 

[Daedalus0101101]

Step 3: If you don't like the answer to #2, politely tell the manager that you won't be visiting their establishment any more and why. Also, if it is a chain, email corporate and complain.

What a load of waffle. If you want to do whatever you want on the internet, pay for it yourself. Get a hotspot or tether your phone, or simply do it from home behind your own Firewall. There is no true 100% secure network except for no network. Just ask AP Moller-Maersk, Merck, or Mondelez International. I work in the IT Departmnet for a retail company and we do not offer WIFI at any of our locations for internal use or to the public. I have been told recently that we are going to roll WIFI out to our retail locations for internal use only. I already know that I am going to receive trouble tickets asking for login information, or that "Customers" are complaining the WIFI doesnt work ( even though it will be internal only), or that the WIFI on Device X doesnt work ( due to them trying to go somewhere they shouldnt be going). I've already told the people that want this that its not going to be open season with this. Plus this adds another aspect of PCI-DSS compliance that I am going to have to work on each and every year now.

 

[Liver]

No guides and I didn't read the whole thread but two ways I can think of off the top of my head:

1. Push OpenVPN through an SSH tunnel such as one using Putty (providing SSH works)
2. Use Obfsproxy to encapsulate your traffic in a HTTPS wrapper, this is different than just changing your OpenVPN port to 443. If the service provider is using DPI then it can pick out OpenVPN traffic despite the use of SSL on a typically SSL encrypted port. This tool wraps your VPN traffic so it looks like legitimate HTTPS traffic.

There are other ways, but these are probably the easiest.


EDIT: to those claim he is breaking the law I don't think this is the case. It's up to the provider of a service to block an activity, if they don't it's reasonable to assume it's allowed. How do I know that they don't want me to send VPN traffic over an SSH link? On the other hand I don't agree that blocking services like VPNs should be illegal either. Their free service, their rules, but if their service doesn't block it then it's free game IMO.

EDIT2: here's an article on what I'm talking about. https://community.openvpn.net/openvpn/wiki/TrafficObfuscation

This man gets it. It's subtle but very important difference.

 

[TCM2]

Connecting via OpenVPN, in decreasing levels of visibility:

1. on udp/1194
2. on tcp/443
3. in a TLS tunnel on tcp/443

If the last one doesn't work, then

4. in an ICMP tunnel
5. in a DNS tunnel

If those don't work, you aren't actually connecting to a network that wants you to use any of the Internet. If you can use the Internet, you can use a VPN. End of story.

I also don't buy the bullshit of "the operator has to protect itself against abuse". The whole idea of a VPN is, among others, to shift responsibility from the network operator to the VPN operator. If you use a VPN, your base network becomes a simple carrier that is invisible to Internet peers. All they see is your VPN endpoint.

 

[Agromahdi123]

Connecting via OpenVPN, in decreasing levels of visibility:

1. on udp/1194
2. on tcp/443
3. in a TLS tunnel on tcp/443

If the last one doesn't work, then

4. in an ICMP tunnel
5. in a DNS tunnel

If those don't work, you aren't actually connecting to a network that wants you to use any of the Internet. If you can use the Internet, you can use a VPN. End of story.

I also don't buy the bullshit of "the operator has to protect itself against abuse". The whole idea of a VPN is, among others, to shift responsibility from the network operator to the VPN operator. If you use a VPN, your base network becomes a simple carrier that is invisible to Internet peers. All they see is your VPN endpoint.

thats some sneaky shit i never thought of VPN on port 53

 

[TCM2]

It's not simply VPN on port 53, it's VPN inside DNS requests/answers. It's really just a last resort, though. Performance sucks.

 

[Agromahdi123]

It's not simply VPN on port 53, it's VPN inside DNS requests/answers. It's really just a last resort, though. Performance sucks.

yea i know what you men when you say "in a DNS tunnel" , i was just like !!!!!! cause i manage a small (i call it small) retail network across three stores, and i was just like huh, i guess if someone really tried, i couldnt really stop vpn through a DNS tunnel.

 

[goodcooper]

yea i know what you men when you say "in a DNS tunnel" , i was just like !!!!!! cause i manage a small (i call it small) retail network across three stores, and i was just like huh, i guess if someone really tried, i couldnt really stop vpn through a DNS tunnel.

sure you could, just redirect all outbound traffic on 53 to a DNS server of your choice

 

[TCM2]

As long as that server truthfully resolves any name on the Internet, you have a tunnel.