I wanted to find out if my Internet Service Provider (ISP) could block my VPN connections. I was worried my real IP address could be divulged across the internet if I wasn’t able to use VPN.
Can a ISP block VPN? ISPs can block VPN connections by blocking the IP address associated with the VPN server being connected to and they can also block the IP ports the VPN software uses for communication. ISPs can use use deep packet inspection to determine if internet traffic is VPN traffic and not normal traffic, and use tools to filter out the VPN traffic and block it.
The rest of this article will look in detail the measures ISPs can use against their customers who use VPNs to block and limit them.
1. Block VPN IP addresses
The Internet addresses the VPN service uses can be blocked by your ISP, so when you start the VPN software on your computer, the IP address it tries to connect to, that is the IP address of the VPN service will not be visible to the VPN software on your computer.
As the ISP will drop any requests made to these automatically, resulting in your VPN software trying several times without success to connect and then will just timeout and most likely display an error saying a connect to the VPN service could not be established.
The ISPs are smart enough to use a list of VPN IP addresses that have been correlated from different sources and contains the IP addresses of the many VPN services available.
This list can then be used to blacklist these VPN IP addresses, stopping any connections made to these IP addresses, such as the VPN communication between the VPN customers computer and the VPN service.
Many VPN providers are continually adding and changing the IP addresses they use, as well as operating out more and more different locations, and together this makes it somewhat difficult for ISPs to keep up with the new VPN IP addresses coming out.
Even when they are sharing blacklists of these IP addresses amongst themselves, the pace of the VPNs trying to stay one step ahead of the ISPs, makes it difficult to make ground.
2. Block VPN Ports
Many ISPs can also block the ports used by the VPN software to get to the VPN service. I always try to use the railway and subway station analogy to try to describe IP addresses and ports. So, the IP address could be a location of a railway station and the ports could be the different platforms the railway station has, the subway system could be the way to get to the specific subway station where the VPN offices are located.
Specific platforms have been blocked off as these leads down to the subway, where it’s possible to get a subway train to the subway station where the VPN offices are. Other platforms also have access to the subway, but these have no direct subway train to the VPN offices and as such these platforms are still accessible.
Without knowing the address of the railway station or other railway stations and by blocking all platforms with a subway link to the subway station where the VPN offices are, would make it difficult to travel to the VPN offices by subway.
It wouldn’t be impossible as there could be an interchange on another subway line that could allow changing onto the subway line with direct access to the subway station where the VPN offices are but getting there directly from the railways stations would be difficult.
Now, comparing this to IP addresses and ports, the IP address is the location, like the railway station and the ports are the platforms. So, if the ISP knows which ports are used for the VPN connections then it doesn’t necessarily need to block the IP address, it just needs to block the ports associated with VPN traffic.
It ends up keeping a smaller list of the ports used for VPN connections instead of a massive list of all the IP addresses used by the VPN service providers.
This sounds a win win situation for the ISPs in enabling them to block VPN access, but the VPN service providers are one step ahead and simply disguise use different ports for their VPN communication (check out my list of VPNs with port changing here).
Some ports like port 443 and port 80 can not be blocked by the ISPs as these are crux of most of the web browsing internet communications, with port 80 being used for normal web traffic from web browsers to websites and port 443 being used for secure web traffic from web browsers to websites.
So, with this mind, some of the VPN service providers simply set their VPN software to use these ports, with port 443 being a popular way to send their VPN communications. They know the ISP can’t block these ports, making it easier for the VPN to carry on rerouted their communications through these ports.
3. Deep packet inspection
IPS could try to identify the web traffic going through some of the common ports to see if it the traffic is actually VPN traffic and to be able to do this they would need to use tools capable of inspecting the traffic such as Deep Packet Inspection tools.
Whilst many ISPs in countries where there are no internet restrictions would go to this level of inspection, other countries where regimes try to control what their citizens can use the internet for, may incorporate deep packet inspection tools to restrict what their users can see on the internet. The Great Firewall of China is an example of using some forms of deep packet inspection to determine VPN like traffic.
Some VPN providers can try to mask their VPN traffic to make it look like normal internet traffic and not VPN traffic using obfuscation techniques, so the ISP thinks the VPN traffic traversing their systems is just normal innocuous internet traffic.
Again, depending on the sophistication of the Deep Packet Inspection tools, this obfuscated traffic could be analysed to determine if it’s VPN traffic in disguise.
4. VPN Throttling
Throttling involves restricting the flow of information and by restricting how much information flows through a VPN connection could end up slowing down the experience of using the VPN to a point where it becomes unusable.
This tactic can be used as an effective deterrent against VPN use but only if the ISP is aware the traffic is VPN traffic, otherwise it could be slowing down traffic for other legitimate connections.
Many ISPs have tools to traffic shape, that is, they can allocate space on their networks for different traffic types, so browsing the internet wouldn’t be have its flow of information restricted as much as downloading using torrents.
Likewise they could also restrict the flow of information deemed to be VPN traffic but more likely they will put a sensible cap on it, so it doesn’t drown out the service for other users from increased contention but is still usable without grounding to a halt.
Another option for ISPs would be to charge more for their internet services if their customers wanted to use their VPN, so they would block VPN communications unless you were subscribing to one of their premium packages where VPN access was allowed.
Is it legal for ISP to block VPN?
If you’re doing malicious activities that can harm your ISP or give them bad reputation such as running a botnet army then yes they could legally block your VPN but may instead take it further and terminate your internet access as part of their terms of service, that must be agreed before using their service. They could also alert the authorities if the severity of your actions is criminal.
Committing criminal acts using the VPN won’t necessarily have the knowledge of the ISP as it won’t be able to see anything their customer is doing, so this isn’t going to make the ISP block their customer’s VPN connections or terminate their customer accounts.
However, if a legal agency gets involved then they could pressure on the ISP to restrict access (depending on the jurisdiction) or even terminate access, but will more than likely want internet access logs to prove the person was involved in the criminal activity.
This would wholly depend on the legal agency being able to identify the person committing the criminal acts, which will be difficult if they are using a VPN that doesn’t keep logs.
The ISP can block VPN access by using techniques such as blocking the IP address of the VPN service provider, by blocking the port the VPN service provider uses for their VPN software connections and they can also throttle the speed at which the VPN works at, slowing down content accessed using a VPN by restricting the bandwidth used for VPN traffic.
How do you get VPN unblocked? You can change to a different VPN server as this will have a different IP address and may not be blocked. You can also change the port the VPN uses if the port is blocked to a different port.
How do I bypass ISP VPN block? The ISP will block the ports used by the VPN with 1194 (UDP) being popular for VPNs based on OpenVPN. By changing the VPN to use another common port like 443, the ISP will not be able to block this port as it’s used for secure internet browsing.