CleanBrowsing provides a DNS filtering service, but like most DNS services it is limited by what is happening on the network. While our system will work to block access to VPN sites, its effectiveness is limited to what the network, and local device, allow.
In this article we introduce and explain VPNs so that users have a better understanding of what they are, how they work, and some of the challenges they present.
What is a VPN?
Virtual Private Networks (VPN) are tunnels that can be created inside your existing network. They create a private environment inside your existing network that opens a window to the outside world ignoring all the restrictions you might have in place. They are especially difficult to work with, and when used have the ability to circumvent almost all attempts to restrict content.
VPN’s were originally created as a way to allow a user to access information that is only accessible inside a network, securely, from a location outside of the network. Its application, however, has evolved dramatically since its original inception.
Today, in addition to what companies use it for, it is the preferred method to circumvent network restrictions. Those restrictions might be imposed by a streaming provider, think Netflix disabling shows in Europe, or other parts of the world. Similar restrictions might be imposed by network administrators like parent, companies, and even Internet Service Providers (ISP) trying to create safe browsing experiences.
How do VPN’s Work?
VPN’s create a tunnel outside of your network to another server on the internet. This tunnel wraps all the communication inside a secure wrapper (i.e., encrypts the data) and gives the user unfettered access to the internet. It’s the preferred method of bypassing content filtering services. This secure wrapper makes it impossible to see what they are doing, and also allows users to do, and see, whatever they like.
Challenges with Blocking VPNs
The issue with blocking VPN’s is in the way they function. In most instances, a DNS service like CleanBrowsing will detect and render a VPN useless, but there are instances in which that is not possible. This is typically when a VPN does not make use of traditional DNS, or they go directly to their own DNS services bypassing the network or device DNS services.
In scenarios like this, it makes it difficult for any DNS service, or filtering provider to help block the use of a VPN. This is further complicated by how accessible VPN’s are. Today a user is able to find a VPN inside their browser, local device and embedded inside existing applications.
What they all have in common, however, is that they all use a known set of protocols. Here is a list of their protocols, and something that can be used at the network level to help block VPNs:
|PPTP||Point-to-Point Tunneling Protocol (PPTP)||TCP||1723|
|SSTP||Secure Socket Tunneling Protocol (SSTP)||TCP||443|
|L2TP||Layer 2 Tunneling Protocol (L2TP)||UDP||1701|
|IPSec||Internet Protocol Security (IPsec).||UDP||500, 4500|
|L2TP with IPSec||Layer 2 Tunneling Protocol (L2TP) with Internet Protocol Security (IPsec)||UDP||500, 1701|
|OpenVPN||open-source commercial software. It uses a custom security protocol that utilizes SSL/TLS for key exchange.||TCP, UDP||1194|
|IKEv2||Internet Key Exchange version 2||UDP||500, 4500|
|WireGuard||A new VPN protocol that is being widely adopted by VPN providers.||UDP||51820|
This is not a comprehensive list of the different port combinations, but it does show the most common options.