What is a VPN and How Does It Impact Filtering?

Understanding VPN Tunneling and Its Effect on Network Security

A Virtual Private Network (VPN) creates an encrypted tunnel that can bypass network restrictions and hide internet activity. While VPNs have legitimate uses, they pose significant challenges to DNS-based content filtering. Learn how VPNs work and what you can do about it.

Learn About Pricing

Step 1: What is a VPN?

A VPN (Virtual Private Network) creates an encrypted tunnel between your device and a remote server. All internet traffic passes through this tunnel, hiding your online activity from your local network — including your router, ISP, and any DNS-based filtering service.

Originally designed for secure corporate access — allowing employees to connect to office networks remotely — VPNs are now widely used by individuals to circumvent content filters, bypass geographic restrictions, and enhance privacy.

While VPNs serve legitimate purposes, they present a significant challenge for families, schools, and organizations that rely on network-level content filtering to maintain safe browsing environments.

Step 2: How VPNs Work

The VPN tunneling process involves four key steps:

  • Connection: Your device connects to a VPN server, typically operated by a VPN provider like NordVPN, ExpressVPN, or ProtonVPN
  • Encryption: The VPN server encrypts all your traffic and forwards it to the destination on the internet
  • Response: The internet response returns to the VPN server instead of directly to your device
  • Delivery: The VPN server sends the encrypted response back to your device through the tunnel

This encryption hides DNS lookups and website visits from network monitors. To your local network, all VPN traffic appears as a single encrypted connection to the VPN server — the actual websites being visited are completely invisible.

Step 3: Common VPN Protocols and Ports

Different VPN protocols use different encryption methods and network ports. Understanding these is important if you need to block VPN traffic at the firewall level:

  • OpenVPN — Uses TCP or UDP port 1194. The most widely used open-source VPN protocol. Highly configurable and considered very secure.
  • WireGuard — Uses UDP port 51820. A newer, lightweight protocol gaining popularity for its speed and simplicity.
  • L2TP/IPSec — Uses UDP ports 500 and 1701. An older protocol often built into operating systems.
  • IKEv2 — Uses UDP ports 500 and 4500. Common on mobile devices due to its ability to handle network switching.

Many commercial VPN providers can also tunnel traffic over port 443 (HTTPS), making it harder to distinguish from normal web traffic.

Step 4: Why VPNs Bypass Content Filters

VPNs pose significant obstacles to DNS-based filtering because they:

  • Encrypt all traffic — including DNS requests, so your filtering DNS resolver never sees the queries
  • Hide website visits — the actual domains being accessed are invisible to the local network
  • Bypass category filters — adult content, gaming, social media, and other blocked categories become accessible
  • Use their own DNS — VPN providers operate their own DNS resolvers inside the tunnel, completely bypassing your configured DNS

In short, when a VPN is active, your network's DNS filtering becomes ineffective for that device. The encrypted tunnel routes around all network-level controls.

Step 5: Mitigation Strategies

Since DNS filtering alone cannot stop all VPNs, a layered defense approach is recommended:

  • DNS-level VPN blocking: CleanBrowsing's VPN category blocks access to known VPN provider domains, preventing users from downloading or connecting to popular VPN services
  • Firewall-level blocking: Block common VPN ports (1194, 51820, etc.) at your router or firewall to prevent VPN protocols from establishing connections
  • App monitoring: Monitor devices for unauthorized VPN app installations, especially on managed school or business devices
  • Device policies: Enforce strict device and network policies that prevent users from installing VPN software or changing DNS settings
  • Disable browser DoH: Prevent browsers from using DNS-over-HTTPS, which functions similarly to a VPN for DNS queries

For a detailed walkthrough, see our guide on How to Block VPN Access on your network.

Need to block VPN access on your network?

See How CleanBrowsing Can Help