How VPN Connections get Blocked

There’s always been an arms race between the VPNs and the blockers. As blockers get more creative, the VPNs respond. The old style IP-based blocking remains in force, but it’s now augmented by a new, smarter type of blocking called DPI.

Who blocks VPNs, and why?

Governments, streaming services, community websites, online games, and others block VPNs from time to time. The reasons for blocking a VPN are diverse, ranging from a government that wants to control its people’s information, to a blog site that’s fighting spam, to a streaming service with advertisers to please.

Blocking methods

The cat-and-mouse game of IP blocking continues.

The old way: IP-based blocking

This is the oldest and most basic way to block VPNs. If somebody wants to block VPNs, the simplest way to do this is to keep a list of known VPN servers and block all their IP addresses. NetShade’s relatively small size has at times been an advantage here. Our servers sometimes fly “under the radar” because they’re not doing mega-volume.

The new way: Content-based blocking

A few years ago, some providers started getting more clever about how to block VPN. Egypt abruptly switched on Deep Packet Inspection around 2017, whereas other Internet-restrictive nations had been rolling it out gradually over the past decade.

With DPI, an access provider actually inspects the content of the packets that flow across their network, not simply the origin and destination. They can sniff out an OpenVPN handshake and block the connection before it completes.

NetShade’s way around Deep Packet Inspection

We implemented a unique approach to circumvent blocking with the release of NetShade 8.

Dynamic wrapping of VPN tunnels

NetShade 8 is able to wrap its VPN tunnels inside a second layer of encryption. This happens dynamically, as-needed, and is transparent to the user.

Here’s how it works. You select a VPN server in NetShade on your Mac, and NetShade tries to open an OpenVPN connection. If the connection fails, NetShade assumes that it may be blocked by Deep Packet Inspection. NetShade then tries “Plan B,” wrapping the connection inside a second layer of encryption using stunnel. Although this layer of encryption is mostly redundant from a security standpoint (and its overhead is undesirable,) it does have the effect of scrambling the recognizable OpenVPN handshake. This layering of technologies is transparent to the user, and happens behind-the-scenes without the end user being aware of it.

The Internet is ever-evolving, and so the content blocking arms race continues.