VPNs are amazing tools to have on your devices. Not only do they let you access geo-restricted content on the web, but they secure your data, and stop bandwidth throttling. But they also stop your internet service provider from spying on your web traffic.
Still, this may lead to you wondering if your ISP can block your VPN connection if they want to? That is, if they have a problem with you using a VPN in the first place.
Unfortunately, they can block your VPN. We’ll go into detail below about how ISPs are able to do this as well as provide tips on how to stop this. But firstly, let’s take a look at why ISPs might want to block VPNs in the first place.
Why would my ISP want to block my VPN?
ISPs can block VPN connections for the following reasons:
- They don’t like the fact you’re using a VPN to encrypt your data and browse the web privately. After all, that data you’re encrypting is something they could easily sell to advertisers for a profit.
- They may not like the fact you’re bypassing bandwidth throttling and using up a lot of data.
- They may be concerned you’re downloading illegal torrents.
- Likewise, they may be concerned you’re using your VPN to do illegal things online, which is a common misconception.
- The government of your country forces ISPs to block VPNS.
- Or, the government forces your ISP to censor specific sites. Therefore, they block VPNs to ensure you are not using a VPN to gain access to those sites.
- Your ISP just doesn’t like VPNs.
It’s very hard to determine with certainty why your ISP is blocking your VPN. To give them the benefit of the doubt, it may just be a misunderstanding. If you suspect that is the case, you can contact your ISP to sort the problem out.
But now onto how ISPs block your VPN and how you can stop it. There are four main ways in which your ISP can block your VPN connection.
Your ISP Blocks the VPN Server’s IP Address
This is the most likely way your ISP will block your VPN. Some people believe that ISPs can’t do this, but unfortunately this is not true. There is nothing stopping ISPs from doing this, as your ISP will always see the destination of your VPN connection - the VPN server.
They will simply use a firewall to block that IP address, meaning you can’t connect to the server anymore. But you may be wondering how your ISP knows you’re connected to a VPN server.
Usually they see an IP address and a DNS resolution (a website name) when they check the destination of your connection. If they can only see an IP address, they’ll assume you’re using a VPN server, especially if your traffic is encrypted.
They can also use an IP lookup tool (like WhatIsMyIPAddress) to see who the IP address belongs to. If they do this and see a data center instead of a residential ISP, it becomes obvious to them that you’re using a VPN server.
Solution: The easiest solution is to connect to another VPN server. This will give you a new IP address that isn’t blocked by a firewall.
If your ISP blocks all the IPs you connect to, then you won’t be able to use the VPN anymore. But it’s unlikely your ISP will bother keeping up with all the servers you’re connecting to.
They Block the Port Used by the VPN Connection
Your ISP can also see which port the VPN uses, as well as the server IP address. If they consider it to be a non-essential port, they can block it and shut down your VPN access.
Solution: The best thing to do is use port 443 to connect to your VPN. It’s the HTTPS port, so technically your ISP can’t block it. If they do this, they’ll cut off all of your web access which isn’t realistic.
However, not all VPN protocols can use port 443. But the VPN protocols that can are really secure. These include OpenVPN, SoftEther, and SSTP. SSTP uses port 443 by default anyway, while OpenVPN requires you to pick that port. Its default port is 1994.
They Use DPI to Detect OpenVPN Traffic & Drop Your Connection
DPI stands for Deep Packet Inspection, and it’s a method of network analysis that allows your ISP to take an in-depth look at your web traffic. But if you use OpenVPN (like most VPN users do), your connection becomes a target for DPI.
This is because OpenVPN encryption has a distinctive signature that DPI can pick up. If your ISP were to use a packet sniffer like Wireshark, they could spot OpenVPN has your connection’s protocol instead of TCP or UDP. Once they notice your VPN connection, they could block it with a firewall or simply drop the connection to the VPN.
Solution: Really, the only solution is Obfuscation. This is a VPN feature that conceals OpenVPN traffic, disguising it as regular internet traffic. It does this by removing VPN-related data from the OpenVPN packet and assigning port 443 to it.
You could also try using other protocols, but bear in mind your ISP can still tell whether you’re using a VPN based on which port is assigned to your packets.
You’re Using PPTP & They See Your GRE Packets
While it remains popular due to its incredibly fast speeds, PPTP (point-to-point tunneling protocol), its low security due to the fact that its encryption can be easily cracked. This therefore makes it a sitting duck for any ISP. Unfortunately, its non-standard GRE packets are what makes it so easy for ISPs to identify and drop or block your connection.
Solution: Unfortunately, the only solution is to stop using PPTP. Any other protocol would work well since they are far more secure than PPTP. We would recommend VPNs such as IKEv2, OpenVPN, SSTP, or WireGuard® instead.