For the people that want to keep it short: Can a network administrator see that you are using a Stealth VPN, maybe with a deep packet inspection?
Long version:
I just bought a VPN service to use when I browse the web, but I noticed that in some places I wasn’t able to connect, like my school, for example. I searched it up and came across stealth VPN’s and I am quite sure that, my school is blocking VPN traffic and that a stealth VPN would be the solution. I read that networks can block VPN’s by looking at the type of traffic that is going through the router. Therefore, stealth VPN’s obfuscate the VPN traffic and make it look like HTTPS traffic. I know that normal VPN’s are detectable by a network administrator, and that he/she could see the VPN server’s IP, the client’s IP and some other information. Basically, I was wondering if a network administrator could do the same thing with a stealth VPN? Is there anyway in which a network administrator could find out if you are using a stealth VPN, maybe through a DPI, or other techniques.
Would /r/networking be a more appropriate place to ask this question?
Now, I don’t know Stealth VPN. You may want an SSL/VPN, because it looks more like web traffic. However, could still get dropped by ngfw/IPS if it recognizes the category of the “website” you are connecting to
The other kinds of VPNs (OpenVPN, IPSec…) have specific behavior recognizable by network security equipment.
As someone who is intimate with this topic (consults and works in schools) short answer is yes.
Long answer is maybe pending firewall type (nextgen, etc).
Other answer: do you onboard your device to school wireless network ? Assuming yes, then you will have a school issued certificate which will intercept your traffic.
Now this doesn’t mean that it will be blocked but probably will be.
Issue with vpns in schools isn’t that kids look at tits. It’s the compliance of duty of care within the school boundary. We honestly don’t really care how you are traversing the environment and what u are looking at but we do worry about duty if care. Keep that in mind…
While it may give you the jollies for a few periods/week it will get locked down and you will move on to the next solution.
Do yourself and your network admins a favor and just don’t do it on the school network. Hotspot your phone, do it at home… honesty not worth the issue and constant headache to do at school
Thanks, I am now going to check out ssl/vpn (even though im guessing they are basically the same thing). Also is the first “yes” answering the question at the beginning?
Thanks for the answer. The reason why I am asking is not to look at “tits” or annoy the network admin (we don’t even have one). Instead, I am asking because I am curious to know how it works and learn something new. I knew that big services could block the IP’s of well-known VPN services so that you would not access a service from another country using a VPN. However, I never knew that networks could literally prevent you from even connecting to your VPN in the first place. I don’t intend to do anything or annoy anyone; rather just understand what is going on.
Anyway, yes, in our school we all have laptops and are connected wirelessly. Since I always have my VPN on, I quickly noticed that at school it didn’t work and wondered why.
Oh ok. The services you are talking about, sound similar to Stealth VPN’s. I didn’t know about the category blocking, maybe that is it… I think I am going to try and buy a stealth VPN for a month and see if it doesn’t get blocked.
EDIT: From what I have read, category blocking is when popular services like Netflix or TV’s don’t allow certain IP’s to connect to them, in this case VPN server’s Ip’s.
I suggest researching into how nextgen firewalls and IDS solutions do application fingerprinting/identification and are more advanced than a simple protocol / IP level block/allow setting.
In your research you will see that there are a lot of VPN solutions that use a mirrad of technologies to try to connect (eg xVPN) and others also contain their VPN traffic in malformed DNS queries.
Some people are super clever with how they do it, and enjoy the learning.
