Can ISPs Block VPN Connections?
VPNs are awesome tools – they help you unblock geo-restricted content, stop bandwidth throttling, secure your data, and so much more.
Not to mention they stop your ISP from snooping on your web traffic. Though, you have to wonder – can ISPs block VPN connections if they want to? Assuming they have a problem with you using a VPN in the first place.
Well, we hate to be the bearers of bad news, but yes, they can do that. We’ll show how they can do it, and offer some solutions + answer some relevant questions.
How Can ISPs Block VPN Connections?
As far as we can tell, there are four scenarios in which your ISP can block your VPN connection:
1. They Block the VPN Server’s IP Address
Let’s start with the most likely thing to happen. Now, there’s a lot of wrong info going around online about this, and we have actually seen some people claim that ISPs can’t do this.
It’d be nice if they couldn’t, don’t get us wrong. But there’s nothing stopping them from doing it. Don’t forget – your ISP will always see the destination of your VPN connection – the VPN server. On their end, it would look something like this:
| Connection Source | Connection Destination |
| Your IP Address | VPN Server IP Address |
All they have to do is use a firewall to block that IP address, and you won’t be able to connect to the server anymore.
How does your ISP know you’re connecting to a VPN server?
It’s pretty simple – they normally see an IP address and a DNS resolution (a website name) when they check the destination of your connection. If they only see an IP address, they’ll likely assume it’s a VPN server – especially if your traffic is encrypted.
Besides that, they can just use an IP lookup tool (like WhatIsMyIPAddress) to see who the IP address belongs to. If they see a data center instead of a residential ISP, it’s pretty obvious they’re dealing with a VPN server.
For example, our Latvian VPN server returns 2 Cloud Ltd. as the ISP. A simple google search will lead you to their website that makes it obvious it’s a data center.
Solution
The easiest way to get around this problem is to just connect to another VPN server. You’ll get a new IP address that isn’t blocked by their firewall.
Of course, if your ISP blocks all the IPs you connect to, you won’t be able to use the VPN anymore. Though, it’s very unlikely they’ll bother keeping up with all the servers you’re connecting to.
2. They Block the Port Used by the VPN Connection
Like the VPN server IP address, your ISP can also see which port the VPN uses. If they deem it a non-essential port, they can easily block it, shutting down your VPN access.
For example, they could shut down port 1194 (OpenVPN), UDP ports 500 and 4500 (IPsec & IKEv2), and port 1701 (L2TP).
Solution
The best thing to do is use port 443. It’s the HTTPS port, so your ISP can’t really block it. If they were to do it, they’d shut off pretty much all your web access.
But not all VPN protocols can use port 443. Luckily, the ones that can are really secure:
So use one of them (we personally recommend OpenVPN) to avoid this problem. SSTP uses port 443 by default, while OpenVPN requires you to pick that port (1994 is its default port). To do that in CactusVPN, just head to Settings, set VPN Protocol to OpenVPN, and OpenVPN port to 443.
3. They Use DPI to Detect OpenVPN Traffic & Drop Your Connection
DPI stands for Deep Packet Inspection, and it’s a network analysis method that lets your ISP take an in-depth look at your traffic.
Well, if you use OpenVPN (like tons of other VPN users), your connection becomes very susceptible to DPI.
Why?
Because OpenVPN encryption has a distinctive signature that DPI can pick up. If your ISP were to use a packet sniffer like Wireshark, they might spot OpenVPN as your connection’s protocol instead of TCP or UDP.
Once they see your VPN connection, they can simply drop it or block it with a firewall.
Solution
Obfuscation is the only solution in this case. It’s a VPN feature that hides OpenVPN traffic, making it look like regular Internet traffic. It does so by removing VPN-related data from the OpenVPN packet, and assigning port 443 to it.
If you’re a CactusVPN user, you can use obfsproxy to obfuscate your OpenVPN traffic. If you need help to do that, check out our step-by-step tutorials.
You could also try using other protocols, though keep in mind your ISP can still tell you’re using a VPN based on which port is assigned to your packets.
4. You’re Using PPTP & They See Your GRE Packets
PPTP is still pretty popular with some users due to its very fast speeds. However, its low security (don’t forget – its encryption can be cracked) makes it an easy target for any ISP. Unfortunately, its non-standard GRE packets are extremely identifiable. So, your ISP can easily drop or block your connection.
Solution
It’s pretty obvious – don’t use PPTP. Any other protocol would work well since they all offer better security than PPTP. If you’d like some recommendations, try OpenVPN, IKEv2, WireGuard®, or SSTP instead.
With CactusVPN, you get to pick between five VPN protocols besides PPTP. So you should have no problem finding a better alternative.
Can ISPs Block VPN Connections That Are Double or Multihop?
Yes, they can definitely do that. A double/multihop VPN just involves you using additional VPN servers. Your ISP will still be able to see your connection to the first server. All they need to do is block it, and the whole double/multihop chain crumbles.
Why Would ISPs Block VPNs?
It’s hard to say. Maybe it’s just a misunderstanding – in which case you should give them a call to sort the problem out.
But, sometimes, ISP blocking VPN connections happens due to the following reasons:
- They’re worried their customers use VPNs to do illegal things online (a common misconception).
- They think you’re downloading illegal torrents.
- Your ISP doesn’t appreciate the fact that you’re bypassing bandwidth throttling, and using up too much data.
- The government forces them to block VPNs.
- The government forces them to censor specific sites. So they also block VPNs to make sure their customers don’t unblock said websites.
- They don’t like that you’re using a VPN to hide your web browsing. That’s data they could sell for a profit to advertisers, after all.
- Your ISP just straight out has a problem with VPNs.
If you know why else an ISP would block VPNs, please let us know in the comments.
Can ISPs Crack VPN Encryption?
Okay, so ISPs blocking VPNs is a possibility, but the encryption is safe, right?
Normally, yes. ISPs shouldn’t be able to crack VPN encryption – especially the AES cipher.
Of course, if you’re using PPTP, there’s a chance they could break it. Don’t forget – PPTP encryption is extremely weak.
If you’re not using PPTP, you don’t have anything to worry about – as long as you don’t live or travel through Kazakhstan, that is.
Why’s that?
Because the government is actually intercepting HTTPS traffic there. To comply with the authorities’ requests, national ISPs had to force their users to install government-issued certificates on their devices.
Once in place, those certificates allow Kazakh authorities to intercept and decrypt HTTPS traffic. They then look at the contents, re-encrypt the data, and send it on its way.
It’s hard to say if those certificates let them decrypt VPN encryption too. But at the very least, it lets them detect VPN connections (even obfuscated), so they can easily drop or block them.
Can You Use Tor to Unblock VPNs?
Sure, you could use Tor to bypass a VPN block on your ISP’s network, but this is sadly a temporary fix (and an inconvenient one since the speed will be really slow).
How long does this fix last?
Until your ISP decides to block Tor too. They can see the Tor IP you’re connecting to, so they can just blacklist it. The same goes for using other VPNs and proxies to access the initial VPN server that got blocked.
Besides that, they could also use services like Plixer and NETRESEC to detect Tor traffic.
Need a Reliable VPN?
If you’re not worried about your ISP blocking VPN connections, and are looking for a decent service that can protect your data and help you unblock tons of websites, we have you covered.
CactusVPN offers military-grade encryption, high-speed servers with unlimited bandwidth, and user-friendly apps that work on the most popular devices.
We also offer a Smart DNS service that unblocks 310+ sites from around the world and obfuscation through obfsproxy.
Special Deal! Get CactusVPN for $3.5/mo!
And once you do become a CactusVPN customer, we’ll still have your back with a 30-day money-back guarantee.
Can ISPs Block VPN Traffic? The Bottom Line
Yes, they can. Usually, they block the VPN server’s IP address or the port the VPN connection uses. Other times, they might even use DPI to detect OpenVPN traffic.
Luckily, getting around those VPN blocks isn’t too hard. We already showed you how to bypass them, but we’d like to hear from you as well. So how do you handle ISPs that block VPN connections? Please let us know in the comments.
