How to Bypass VPN Blocks – A Guide

Douglas Crawford

Douglas Crawford

Oktober 14, 2016

In this article, I discuss ways to bypass VPN blocks. Using a VPN is a great way to beat internet censorship. Under normal circumstances, all you need do is connect to a VPN server located somewhere that is not censored, and ta da! You have uncensored access to the internet.

The problem, of course, is that this feature of VPNs is well-known. And as a result, those who would censor your internet also try to block the use of VPNs to bypass their censorship…

Internet censorship

Internet censorship comes in many shapes and sizes. Common examples include:

Government censorship for political and/or social reasons

Classic examples include the Great Firewall of China and state censorship in Iran. The UAE has also recently hit the headlines for criminalizing the use of VPNs and the like to bypass its censorship restrictions.

Government censorship for copyright reasons

It is becoming increasingly common for governments to block access to websites that are deemed to promote or facilitate copyright piracy. This form of censorship is particularly common in European counties, with the UK leading the charge. Russia has also recently ramped-up its efforts to block access to pirated content.


Many workplaces try to prevent employees from accessing content that might upset or offend other colleagues (see Not safe for work). Or which is likely to distract them from work (such as chatting on social media or watching porn!). Such restrictions are usually quite understandable in the context of a working environment.

Schools and colleges

It is common for educational institutions to block access to web content. When the pupils are minors, this is arguably justified. Itis less so, though, at universities and higher education establishments where the attendees are adults. Indeed, the notion censorship at higher educational institutions is more than a little ironic!

Porn, social media, and websites linked to copyright infringement are usually the main targets. It is not uncommon, however, for political content to be censored.

Censored internet

Even more worrying is the common practice of denying young people access to important information relating to social issues such as drug advice, sexual health, racial and/or sexual discrimination, bullying, and more.

At home

Most parents have a natural desire to protect their children from the many dangers that exists on the internet. This, of course, includes the ocean of unsavoury and age-inappropriate content that exists there. While they are young, controlling access to such content is both sensible and advisable.

Censorship is a very blunt tool, however, and one that can backfire badly. You cannot protect your children from the world forever, and if they are old enough to understand how a VPN works, then it may be time to take a step back.

A far better approach, in my view, is to maintain a dialogue with your children. This will ensure that they have the moral framework and social/political understanding necessary to contextualize material encountered on the internet.

At some point, your children will become exposed to this content anyway, and in my opinion it is far better for them to feel able to approach their parents and talk honestly and frankly about material that disturbs or challenges them in some way.

This is surely preferable to feeling a need to hide what they get up to on the internet, and which will deny you the opportunity to provide the support their needs. It is a big bad world out there, and I believe it is better to prepare children for its challenges, than to censor it from them (which won’t work in the long run anyway).

Websites that block VPN users

It is becoming increasingly common for media steaming websites to block viewers who use VPNs bypass geo-restrictions placed on their services. Prime examples include Hulu, US Netflix, and BBC iPlayer.

Netflix tries to block VPN users

The reason for such blocks is almost always because copyright holders want to maximize their profits by artificially segregating the world market.

This form of VPN block is not really the focus of this article. Which is more concerned with attempts to prevent the use of VPNs altogether. I will, however, add some notes on it later.

Legal considerations with VPN blocks

VPN blocks are put into place for a reason, and the people placing them usually take a dim view of efforts to evade their blocks.

That said, even in countries where VPNs are blocked (such as China and Iran), their use is almost never actually illegal. This means that evading VPN blocks will almost never get you into trouble with the law.

A notable exception to this general rule is the UAE, which has recently announced that anyone caught using a VPN risks a fine of up to 2 Million UAE Dirham (over US$500,000) and/or prison time. How rigorously this is enforced in practice remains to be seen, but caution is strongly advised when trying to evade VPN blocks in the UAE.

Of course, even though using a VPN and bypassing VPN restrictions are not usually illegal, per se, the content you access when using the VPN may be.

Safety considerations with VPN blocks

When using a private WiFi or LAN network, the owner of that network has every legal right to restrict what you can do when connected to their network. This includes school, university, office, and home networks, etc.

The chances of getting caught evading VPN restrictions on such networks is usually quite slim, but can potentially result in suspension, sacking, and other disciplinary measures.

It is, therefore, worth carefully considering whether the benefit of evading VPN blocks justifies the potential problems, should you get caught.

How do VPN blocks work?

VPN use can be prevented in a number of ways. And organizations that are very serious about blocking VPNs often combine techniques.

Note that with the exception of China (where all internet traffic to and from China is restricted to just 3 government controlled access points), government VPN blocks (and censorship) is almost always actually performed by ISPs at the government’s instruction.

Common tactics for VPN blocks include:

Blocking access to VPN websites

If you can’t access a VPN provider’s website then you can’t sign-up for its service or download its software. This form of censorship usually extends to VPN review websites (such as and other websites dedicated to methods of evading censorship.

Although rarely the only tactic employed, blocking access to VPN websites is a very common addition to other methods used.

Blocking IPs of known VPN servers

It is not too difficult to discover the IP addresses of the VPN servers used by VPN providers. And then block access to them.

This is by far the most common method of preventing VPN use, and when used together with blocking access to VPN websites, is usually the extent of most VPN blocks.

Given the large number VPN providers out there, and the difficulty of keeping track of changing server IP addresses, most organizations settle for banning just the more popular VPN services. This means that users of smaller and less well-known VPN services can often “slip under the radar”.

Port blocking

By default, OpenVPN uses port 1194 (UDP, although this can be easily changed to TCP). Other VPN protocols use different ports. A simple but effective way to block VPNs, therefore, is to use a firewall to block these ports.

Deep packet inspection (DPI)

Deep packet inspection is “a form of computer network packet filtering that examines the data part (and possibly also the header) of a packet as it passes an inspection point.” Various technologies are used for DPI, with varying levels of effectiveness.

Data encapsulated by VPN protocols, however, is pretty easy to spot using even fairly basic DPI techniques. The content of the packets remains securely encrypted, but DPI can determine that it has been encrypted using a VPN protocol.

Using DPI to detect VPN traffic is definitely a step up in seriousness on the part of the organization performing the DPI.

Simple Solutions for VPN blocks

Use a mobile connection

Ok, so this won’t work for evading government blocks, but it will work schools, colleges, at work, etc. And it is often by far the easiest solution.  Rather than using a VPN to access content blocked on the local network, just access it on your mobile device using you mobile (cellular) connection.

This does mean that you will have to pay your usual mobile data charges, but it allows you to check your Facebook account without with little effort and little chance of getting into trouble for it.

Try a different VPN provider and/or servers

As already noted, keeping track of all IP addresses belonging to all VPN providers is a momentous task. Switching to a lower-profile VPN service is therefore often enough to evade blanket IP bocks. Even if some IPs belonging to a particular VPN blocked, simply changing to different ones run by the same provider might work.

Some VPN providers regularly recycle their IP addresses. This makes keeping track of the changes and blocking the new IPs a major headache. This tactic is often referred to as a game of “whack-a-mole”. It is worth asking your provider if this is something that it does.

Not many VPN providers currently fully support IPv6 (Mullvad is the only one I know of). This is almost certain to change, however, as new IPv4 addresses become unavailable. IPv6 hugely expands the number of IP addresses available. This means that as IPv6 becomes more widely adopted, simple IP blocks will become less and less effective.

Roll your own VPN

A more extreme but highly effective option is to run your own VPN server, and then connect to it from the censored location.

As the VPN server belongs to you, this does not provide the usual privacy benefits of using a commercial VPN service. It does, however, provide you with your very own unique VPN IP address, which will not be blocked.

OpenVPN installed on a VPS

You can setup a home PC to act as your personal VPN server, or rent and configure a VPS (which is also great for geospoofing). If rolling your own VPN on a VPS seems too hard, can do the heavy lifting for you.

Come prepared

When visiting places such as China, one of the most effective tactics is simply come prepared! Signup for a VPN service and download its software before your visit. Even when access to access to VPN providers’ websites is blocked, VPN connections themselves are often not.

If you have failed to come prepared (or never had the opportunity), alternative censorship-busting technologies can be used to access VPN websites. You can then sign-up and download their software.

Tor network

Tor is better at providing anonymity than it is at censorship-busting. This is because of the ease with which access to Tor nodes can be blocked. Tor bridges can be used to bypass IP blocks on Tor nodes, and obfsproxy (see below) can be used to hide Tor traffic from Deep packet inspection.

The Tor Browser

Shadowsocks (Chinese: 影梭)

This “is an open-source proxy application, widely used in mainland China to circumvent Internet censorship.” It is an open source anti-GFW tool/protocol/server created by a Chinese developer. Basically it’s a SOCKS5 proxy that is available for most major platforms.


This is a similar to Shadowsocks, but is only available for iOS.


Derived from Tor, Lahana is designed to solve Tor’s problem with easily blocked exit nodes by making it “stupidly easy” to setup new nodes. Lahana was designed to defeat censorship in Turkey, but should also work well in many other censorship situations.


This uses a combination of VPN, SSH and obfuscation technologies to bypass censorship. If you encounter a block when using VPN, for example, you can switch to SSH or obfuscated SSH (SSH+) instead. One of the best things about Psiphon is that if you find the Psiphon website blocked, you can request the software be sent to you via email (contact

Psiphon Windows SSH

In fact, most VPN providers will also be happy let you signup and download their software via email. Just ask.

Change port numbers

Many custom VPN clients allow you change the port they use. This is a good way to defeat port blocking. The two most popular choices of port to use are:

TCP port 80 – this is the port uses by all “normal” unencrypted internet traffic. In other words, it is the port used by HTTP. Blocking this port effectively blocks the internet, and is therefore almost never done. The downside is that even the most primitive DPI techniques will spot VPN traffic using this port.

TCP port 443 – this is the port used by HTTPS, the encrypted protocol that secures all secure websites. Without HTTPS no form of online commerce, such as shopping or banking, would be possible. It is therefore very rare for this port to be blocked.

And as an added bonus, VPN traffic on TCP port 443 is routed inside the TLS encryption used by HTTPS. This makes it much harder to spot using DPI. TCP port 443 is therefore the favored port for evading VPN blocks.

Many VPN providers offer the ability to change port numbers using their custom software (especially when using the OpenVPN protocol).

Even if yours does not, many VPN providers do actually support OpenVPN using TCP port 443 at the server level. You can switch to it with a simple edit to your OpenVPN configuration (.ovpn) file. It is therefore worth asking your VPN provider about this.

Another option is to use the SSTP protocol (if available), which uses TCP port 443 by default.

Advanced solutions for VPN blocks

Some VPN providers offer more advanced VPN blocking solutions designed to defeat more sensitive DPI techniques. Such techniques analyze packet size and/or timing to detect OpenVPN’s rather distinctive handshake, even when hidden behind HTTPS.

Very sensitive (and therefore also very expensive, and rarely used) DPI may even detect VPN use when using the tactics outlined below. There are 2 basic approaches to advanced VPN concealment:

stunnel / SSL tunneling

stunnel is an open source multi-platform program that creates TLS/SSL tunnels. TLS/SSL is the encryption used by HTTPS, so VPN connections (usually OpenVPN) routed through these TLS/SSL tunnels are therefore very difficult to tell apart from regular HTTPS traffic.

This is because the OpenVPN data is wrapped inside an additional layer of TLS/SSL encryption. As DPI techniques are unable to penetrate this “outer” layer of encryption, they are unable to detect the OpenVPN encryption “inside”.

SSL tunnels are usually made using the stunnel software. This must be configured on both the VPN server and your computer. It is therefore necessary to discuss the situation with your VPN provider if you want to use SSL tunneling (a setup guides is available here for reference).

AirVPN SSH SSL tunels

AirVPN is the only VPN provider I know of to offer stunnel functionality “out of the box” using its custom open source software. I am not otherwise familiar with Anonyproz, but it can be configured for stunnel, and other providers might also offer this feature.

SSH tunnelling

This is similar to SSL tunneling, except that the VPN data is wrapped inside a layer of Secure Shell (SSH) encryption instead. SSH is used primarily for accessing shell accounts on UNIX systems. Its use is mainly restricted to the business world, and is nowhere near as popular as SSL.

As with SSL tunneling, you will need to talk to your VPN provider to get it working. Again, AirVPN supports it “out of the box”.

SSH tunneling uses the PuTTY telnet/SSH client, and a relatively simple setup guide can be found here.

Obfsproxy (and similar technologies)

Obfsproxy is a tool designed to wrap data into an obfuscation layer. This makes it difficult to detect that OpenVPN (or any other VPN protocol) is  being used.

It has been adopted by the Tor network, largely as a response to China blocking access to public Tor nodes. It is independent of Tor, however, and can be configured for OpenVPN .

To work, obfsproxy needs to be installed on both the client’s computer (using for example port 1194), and the VPN server. However, all that is then required is that the following command line be entered on the server:

obfsproxy obfs2 –dest= server x.x.x.x:5573

This tells obfsproxy to listen on port 1194 (for example), to connect locally to port 1194 and forward the de-encapsulated data to it (x.x.x.x should be replaced with your IP address or to listen on all network interfaces). It is probably best to set up a static IP with your VPN provider so the server knows which port to listen in on.

Compared to stunnel and SSH tunneling, obfsproxy is not as secure. This is because it does not wrap the traffic in encryption. It is, however, somewhat easier to set up and configure, and has a much lower bandwidth overhead since it is not carrying an additional layer of encryption. This can be a particularly relevant for users in places such as Syria or Ethiopia, where bandwidth is often a critical resource.

Some providers may use alternative technologies that are similar to obsfproxy. BolehVPN, for example, uses XOR obfuscation for its “xCloak” servers.


A note on the UAE

The above advanced solutions to VPN blocking will probably prevent VPN use being detected by DPI techniques (although the United Arab Emirates has been investing heavily in advanced internet surveillance systems).

It is believed, however, that UAE ISP may also maintain an extensive database of VPN server IPs. They may therefore be easily able to determine that you are using a VPN simply by the IP you connect to (much as websites such as Netflix do).

In reality, it seems unlikely that you will be prosecuted just for using a VPN to watch Netflix in the UAE. If you piss the authorities off in some way, however, the fact that you use a VPN may give them a dangerous weapon to use against you.

I therefore recommend extreme caution when considering using a VPN (and bypassing VPN blocks) in the UAE.

A note on websites that block VPN users

This form of blocking can be challenging to overcome. Choosing a lower-profile VPN provider, or one that regularly recycles its IPs, can be effective. Trial and error is the key here.

I therefore strongly advise that you take full advantage of any free trials and money-back guarantees that are on offer. This will allow you to find out for yourself which VPN services work for the content you want to stream.

Remember that a service which works today could be blocked tomorrow. So it is a good idea to pay for a month’s subscription at a time. This is almost always more expensive than paying annually. But if the service becomes blocked (through no fault of its own), you will not be left with a year’s subscription that is useless to you!

It might also be worth looking at Smart DNS solutions, instead of using a VPN. Smart DNS services can also be blocked, but this is more difficult to do and is less likely to happen. Fewer Smart DNS services are banned than VPN services.

Some VPN services, such as AirVPN, use fancy DNS routing. This allows you to connect to services such as US Netflix and iPlayer, even when you are not connected to servers in the US or UK (respectively)!  This is not always 100% effective, but is nevertheless impressive.


The vast majority of VPN blocks are fairly easy to overcome using a little lateral thinking. Even where sophisticated and highly sensitive Deep packet inspections techniques are employed, technologies such as stunnel and obfsproxy are highly effective.

Douglas Crawford

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

18 Antworten auf “How to Bypass VPN Blocks – A Guide

  1. Hi Douglas,

    We are a small VPN provider. Our IP addresses are being listed in IP2Proxy database and subsequently detected by several streaming providers.

    Other than recycling IP address, do you have other solutions to bypass the detection?

    1. Hi Micheal,

      I’m afraid that recycling IP addresses is the main solution, but I understand that it can be a drain on resources. I know that AirVPN used to pull off some fancy DNS routing tricks, but apparently this no longer works with the likes of Netflix and they have given up…

  2. Great write-up Mr. Crawford. I was recently in Dubai on holiday, and i configured the PIA OpenVpn client to use TCP 443 with the highest encryption, instead of the UDP protocol i use in my home country or elsewhere. I was always mindful however, that VPN’s are frowned upon at the very least in Dubai, but i was also surprised to know that a lot of locals actually do subscribe to VPN services and do their torrenting and streaming using them. They seemed least bothered about being detected by Etisalat or other net providers, which i thought was kinda brazen, but hey, Arabs are different!

    Anyway, my question is as follows:
    I am confused by the reports out there, based on the Snowden slides, that the NSA and other 5 eyes intelligence agencies, have dedicated teams that crack VPN connections.
    However, in those reports, they mention pptp and l2tp but i would like to ask you Doug,
    do you think they have somehow managed to find some flaw in the OpenVpn implementation that allows them to passively break strong encryption like for example an OPEN VPN connection using HMAC-SHA256, RSA4096 and AES256 encryption?
    I just dont see how this is possible. My VPN client uses the latest OpenSSL library, it is robustly tested, and OpenVPN itself is shown to be incredibly resilient to attacks, atleast from what i have read.
    So, why are people still paranoid when they are using the highest level or encryption in their OpenVPN client and it is configured properly?
    What am i missing?

    1. Hi Gerhard,

      Thanks! The NSA has definitely compromised PPTP, and almost certainly compromised L2TP. As long as at least a RSA-2048 handshake and Perfect Forward Secrecy are used, however, OpenVPN is still considered to be secure. Two independent OpenVPN audits were published last week (here and here), which generally gave the open source software the all-clear. Some issues were found, but the only major ones related to potential Denial of Service (DoS) attacks, and did not affect the security of users. These issues have been fixed in OpenVPN 2.4.2.

      I think people basically don’t understand encryption, so trusting something they don’t understand is not easy. As I note in my hopefully-to-be-puiblished-this-week “Complete VPN Encryption Guide,” however,

      When it comes to properly configuring a VPN, however, encryption is only half the story. The other half is ensuring that no traffic enters or leaves your computer outside of the VPN connection. To learn more about this, please check out my Complete Guide to IP Leaks.

  3. My OpenVPN client is sitting behind corporate firewall. My OpenVPN is sitting on its own network. Other clients are able to connect to it no problem.

    However, for thie one specific client, its requests are seen by the OpenVPN server, but the server response doesn’t make it back to the client.

    The IT department can’t seem to figure out what is blocking the response. Is there anything
    I can ask them to look for? They have been working on this for two weeks with zero progress.

    1. Hi Bob,

      If every other VPN client connects to your VPN server except one, the I guess that it is being blocked by a firewall rule for some reason. If you can’t trace the rule, then maybe try connecting to the VPN server using a different port (such as TCP 443).

  4. Apparently Sky Go UK have really cracked down and I’ve not been able to connect these last few weeks from abroad, what would you say is the best way to resolve this, as none of Pure VPN’s servers are working, even a long list of dedicated ones they have suggested on chat? Every time I have spoke to them on chat they said they will look into it but it doesn’t seem like they are doing much about it..

    1. Hi Tom,

      If it tries hard enough, PureVPN (or any other VPN service) can get around such blocks by refreshing its IP pool or introducing fancy DNS routing. It will still be something of a cat and mouse game, but that’s just the way it is. If PureVPN is unwilling to make any serious effort to solve this problem, then I can only suggest switching to another service. Do make sure to take advantage of any free trials and/or money back guarantees on offer to check that the service works with Sky Go UK (and any other service you want to access). Although it means missing out on the bulk-buy bargains offered by most services, it might be worth purchasing shorter VPN package so you can easily change again if that service becomes blocked.

    1. Hi Tim,

      Thanks! I am always looking to improve my articles, so if there is anything specifically that you think could be better explained, please let me know.

  5. Just had a chat-room session with ExpressVPN regarding my inability to use Netflix with their VPN. Netflix also requires naked browser with no ad-block, no tracking-block and so on etc. I live in Seattle and am always there. Here’s what “Rain” from ExpressVPN told me QUOTE: “Oh sorry it will not work if you are physically in the US. You will have to disconnect the VPN and use your normal US internet connection to access US Netflix. It would also be the same case for any other VPN at the moment.” This seems to contradict what you say about using only certain VPN address locations to make it work. Yes? No? I’m now referring to Netflix as Netflakes; not really worth $10.94/month. 🙂

    1. Hi P. Duryea,

      Hmm. Well, I just ran some new tests for ouir updated ExpressVPN Review last Friday, including Netflix tests. I had no problem using US Neflix when configured for the included Smart DNS service (I am based in the UK). Using just the VPN I found the NY sever was blocked by US Netflix, but all other US servers worked just fine.

      Regarding being in the US, I think the tech support person was a little confused. This may be a problem smart DNS, as this intelligently routes DNS requests based on where you are and where you are trying to connect to, but it should make no difference if you simply connect to a VPN server in the US.

    2. I’ve had Netflix block my access over multiple VPN providers – I’m in the US, and have had Netflix on the phone while I drop the connection, sign in, then reenable the connection, and get dinged out.

      The claim from Netflix is that I’m an international baddie, yet I can show them that I’m connecting from a US native IP address – and one of the reasons I signed up for VPN was because of the throttling that US telcos were applying to Netflix.

      I run VPN at my internet gateway, not on the client, so flipping it off and on isn’t trivial. I wound up logging all my DNS requests when firing up a Netflix connection and building a list that, so far, works – traffic to this group of hosts bypasses the VPN, all other traffic goes over VPN. For the TV and dvd players as source hosts, I bypass the VPN for all traffic from them – so even when Netflix gets a step ahead of me, the consumer devices can still reach it.

      Unfortunately, the number of places that don’t accept connections from VPN providers is growing. I just found an issue with refusing to accept a connection from a VPN in at least one context.

  6. If a VPN server (stunnel, OpenVPN etc.) is running in the blocked country on network of a blocking provider (example: home server), if a client connects trough it, then blocked content is still blocked?

    1. Hi adrian,

      Yes. The VPN server acts as a proxy. If internet connections into and out of the VPN server are blocked, then they will also be blocked for any device connected to the VPN server. For a VPN server to useful at defeating censorship, it must be located somewhere that is not censored. You can then connect to it from somewhere that is censored, and access the internet freely.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Exclusive Offer
Get NordVPN for only