How VPNs Are Blocked Worldwide: Methods and Examples

By Ava McKinneyOnline Safety

How VPN Blocking Works Around the World

Restrictions on VPN usage are often considered a part of the broader phenomenon of internet censorship. For most users, VPN technology is primarily used to maintain online anonymity, prevent ISPs and website administrators from collecting personal data, and access restricted content. Blocking access to content based on resource addresses and network nodes (such as IP addresses or domain names) is simpler than blocking at the level of transmitted network packets. However, such address-based blocks can be bypassed using VPNs by routing traffic so it “exits” elsewhere, often in another country.

As a result, after address-based blocks are implemented, the next step may be packet-level blocking. This allows, for example, the blocking of VPN traffic associated with specific protocols, regardless of the server it’s addressed to. Currently, reports from internet users and activists indicate that VPN access is often blocked “by address” (blocking traffic to VPN entry points—servers that accept user connections). There have also been reports of blocking traffic “by port,” but this method is relatively easy to bypass by switching to another port, which is much less costly than changing protocols or even IP addresses.

To block at the packet level, ISPs (or other intermediaries, such as national traffic monitoring centers) need to analyze the traffic. This is done using Deep Packet Inspection (DPI) technology. DPI allows, for example, the blocking of only those packets related to VPN traffic or direct access to banned resources. If the packet content is unencrypted, no additional tools are needed for analysis, and decisions to block can be made based on the packet’s content or group of packets.

For analyzing encrypted data, an intermediary may be used that can decrypt the traffic, since the client encrypts traffic to it using self-signed certificates provided by the ISP. This is essentially a well-known “man-in-the-middle” (MITM) attack, but here the “attacker” is the ISP itself. However, this approach requires users to voluntarily install these fake certificate authorities, so it’s not widespread (with isolated cases reported in Kazakhstan and China).

A variation of this method, without requiring user participation, is when a government creates its own “legitimate” certificate authorities (CAs) that are included in trusted lists in browsers and operating systems. If such CAs are discovered, they are usually removed from trusted lists. This situation is possible due to the way certificate signing works: typically, neither repeated signing nor the signing of another certificate for the same domain/IP is checked, as enforcing this would cause issues in normal use.

Even without decrypting encrypted packets, it’s possible to analyze and filter them based on metadata (service information about the packet). Often, just using metadata is enough to accurately determine the protocol, allowing for effective blocking. VPN protocols (and most messengers) are vulnerable to such blocking without additional obfuscation technologies, as they weren’t originally designed to withstand active network interference.

DPI technologies based on probabilistic analysis don’t identify VPN traffic with 100% accuracy, but blocking even some packets can significantly degrade VPN connection quality. A downside of DPI-based filtering is false positives, where regular user packets are blocked because they resemble VPN traffic to the analyzer.

To balance government requirements and minimize user dissatisfaction, DPI filters are subject to increasingly strict quality standards. At the same time, traffic obfuscation tools are becoming more popular and advanced, leading to an “arms race”: DPI technologies become more reliable, but so do obfuscation methods (like Shadowsocks, obfs4, and others).

How VPNs Are Blocked in Different Countries

Available data on VPN blocking in various countries is fragmented. Governments and ISPs rarely make public statements or provide technical details about such blocks. There is no global monitoring of VPN blocking (the Russian project Global Check aims to fill this gap). VPN blocking is usually considered part of overall internet censorship, not as a separate issue.

As mentioned, DPI-based VPN blocking is typically implemented after address-based blocking systems are in place. This is because only a minority of users rely on VPNs, and DPI filtering requires expensive equipment. As a result, active VPN blocking is mainly seen in a small number of authoritarian countries. According to a 2021 study by Comparitech, VPN use is restricted or blocked (either intentionally or partially) in the following countries:

  • Belarus
  • North Korea
  • Turkmenistan
  • Turkey
  • Iraq
  • Iran
  • Russia (partial restrictions)
  • Oman (partial restrictions)
  • UAE (partial restrictions)
  • China (partial restrictions)

In most of these countries, VPN restrictions target technologies or service providers rather than being strictly enforced by law. However, in Belarus, North Korea, Turkmenistan, Turkey, Iraq, and Iran, VPN use is legally banned (though this doesn’t always mean the law is regularly enforced against ordinary users). Partial legal restrictions also exist in Russia, Oman, the UAE, and China.

Among these, China has the most advanced internet censorship system, known as the Great Firewall. Unlike North Korea, China is not isolated from the rest of the world. The system filters both domestic and cross-border traffic, which passes through several checkpoints. Filtering mechanisms are usually located not at the border itself, but in border networks (autonomous systems) or provincial networks, depending on the ISP.

VPN blocking in China uses a combination of methods:

  • Blocking access to VPN provider websites
  • Blocking known VPN entry points by IP address
  • Blocking traffic on ports used by VPN protocols (e.g., port 1194 for OpenVPN)
  • Analyzing and blocking traffic using DPI
  • Quality of service filtering (“throttling” suspicious connections based on assigned scores, with a certain percentage of traffic blocked)

It’s believed that the system can detect double encryption (e.g., HTTPS over SSH) by analyzing packet entropy. Encrypted packets contain random sequences, which can be statistically analyzed to identify VPN traffic. A unique feature of China’s DPI system is that traffic is filtered after passing through the system’s nodes: packets are copied to a separate device for analysis, and if blocking is decided, a fabricated TCP reset command is sent to both parties. The system is stateful, allowing it to break connections after analysis and block repeated attempts by assigning timeouts.

China also uses active probing: when a connection to a “suspicious” IP is detected, the system sends a request to that node. If it confirms it’s a VPN entry point, it blocks it. This can be bypassed using obfs4 technology, which uses an out-of-band shared secret for authentication (for example, a code sent via SMS in two-factor authentication).

Known VPN protocols blocked in China include:

  • OpenVPN – blocked during the handshake phase. If the tls-crypt option is used, which protects against such blocking, tunnel traffic is throttled to 56 Kbps.
  • IPSec (with other protocols) – blocked during handshake or also throttled.
  • TLS (not a VPN protocol, but used for connections) – analyzed to separate HTTPS from other uses, which are blocked.

As a result, only a few major VPN services provide relatively reliable connections from China. Since at least 2016, Russia’s Roskomnadzor has cooperated with its Chinese counterpart to study and adopt their practices (source).

VPN Blocking in Turkmenistan: A Comparison

Turkmenistan also severely restricts internet access but lacks China’s technical resources. The country has only one ISP—state-owned TurkmenTelecom—and no dedicated internet regulatory body. In September 2019, a state cybersecurity agency was reportedly created after the president signed a relevant law.

Address-based blocking (by domain and IP) is common, and attempts to access blocked resources can result in users being summoned by authorities, meaning user requests are monitored. Information about VPN blocking is limited due to the closed nature of the society.

In October 2019, Turkmen VPN users reported blocks. Earlier in 2019, VPN use was restricted by blocking VPN apps in the Android Play Store and disabling SIM cards of users who installed these apps. Since 2017, authorities have also monitored those who change SIM cards to bypass blocks.

Illegal VPN installation services are reportedly widespread in the capital, Ashgabat. Previously, these services were openly offered in mobile phone shops and service centers, but this stopped after fines were introduced. Officially, the government does not acknowledge any blocks.

VPN use in Turkmenistan has long been banned by law. In August 2021, it was reported that users must swear on the Quran not to use VPN services when connecting to the internet.

Technical details of blocking are scarce, but it’s noted that only VPNs that don’t disguise their traffic as HTTPS are blocked. There are reports that blocking software is supplied by the German company Rohde & Schwarz (which also works with Belarusian authorities). This suggests DPI is used, but without the ability to analyze encrypted traffic.

Sources

Leave a Reply