Using VPNs at school can be super helpful for students looking to use social media, play games, or access blocked websites in the school’s firewall. Sometimes, it’s almost mandatory since system administrators in education are hyper vigilant in their pursuit to block content.
I’ve been on the side of the student before, with my struggles getting Starcraft 2 to in a school’s connection, but until now, I’ve never seen it from the system admin’s point of view. It’s interesting examining how he tries to block VPNs, and why he ultimately fails.
A Plea for Help?
A Reddit user posted on the K12SYSADMIN subreddit with a question pleading for help.
“I work at a school that has a pretty open network(i hate it, working on fixing…), last week for a few reasons Administration had me block Instagram. We’ve never blocked any social media apps before, mostly just 18+ websites and things like that. The next day I had 60+ students using a VPN. I have Aerohive wireless, Cisco router, and ASA.”
The sysadmin clearly has a problem here as the students have figured out that using a VPN lets them get around the Aerohive blocker. He goes on to explain that he has blocked TCP ports 1723, 47, 1701, 50, and UDP port 500,” but he still finds that VPNs are still working. Then to go even further to combat VPN users, he starts blocking all forms of IPsec connections on the Aerohive connections. But even after this, he still finds traffic increasing with his measure having no effect.
Another user points out that the admin’s insistence on blocking VPN could cause other visitors to the school that are using VPNs for business reasons potential issues. Conversely, another user seems to think that the same sort of technology used in censoring nation states is encouraging the development of tools like VPNs that can work so well in schools. “It’s a war of escalation, and at some point school administrators need to be involved to put heavy penalties in place and make examples of students.”
Lone and behold, that same Reddit user who is advocating heavy penalties is right. Anti-censorship VPNs have evolved, and are now more effective than ever.
Why Can’t You Block VPNs at School?
So what is the problem? Why can’t this Sysadmin block VPN users? The idea is quite simple, but the implementation to block it is nearly impossible.
The Sysadmin is attempting to block common VPN TCP ports and UDP ports, and for some VPNs, this can be effective since a lot of VPNs work this way. However, some VPNs like TorGuard (which the Sysadmin admits to using it to test the system) has something called Stealth VPN.
When a user uses Stealth VPN with TorGuard, it looks like regular SSL traffic since it goes through SSL ports. So from an IT admin’s perspective, it looks like the user is using HTTPs traffic. This is why after blocking IPsec connections, there were still users accessing the blocked content, but he couldn’t even tell since it just looked like normal traffic–not “VPN” traffic.