Last year, I did a project for school, it involved hosting a web server on a Raspberry Pi, since then, the Pi has been sitting collecting dust. I decided I wanted to do something with it.
After lots of thought, I decided to host my own VPN (to be able to browse the web freely while I was at school), and DNS server (to speed up my home internet slightly and mostly to block ads network wide).
Using Pi-Hole and PiVPN, I successfully set up my very own gateway to a greater internet experience. The VPN uses the DNS server running on the Pi, and so does my router, great, everything is working… Except I can’t connect to my VPN from my school’s network. When I am on mobile data on my phone it connects fine. Last year I was using a VPN on the same school’s network, through port 443, that worked, but this year they must have patched some holes.
The thing that I don’t understand about this is that I can ping my home network from the school, but, I cannot detect any open ports. I am assuming that all outgoing ports have been blocked since I tried changing the VPN to 80, 443, 1194, and even some random value like 46560. Nothing works, could it be some kind of packet filtering? As you can see I am not an expert in this and am genuinely interested in how this works.
Your school has likely changed its webfiltering service. These services are getting nasty and restrictive.
It may be simply that they’re proxying SSL traffic. Basically, a man-in-the-middle in order to enable the school’s proxy/filter. OpenVPN would barf and refuse to connect. Something like Blue Coat’s Encrypted Traffic Management
Or, they could be subscribed to a blocklist service and your home IP is blocked (likely all internet providers are blocked). Check out Blue Coat’s blocklist categories for an idea of how blocklists can be finetuned.
Obviously, I hate Blue Coat specifically. But, there are a lot of other companies out there that offer similar services. Using these services is an easy way for schools to protect teh children from the evils of the intrarwebs without having to give much thought or effort.
As someone already me turned they probably only permit TCP 80 and 443 and drop them for UDP. You could try setting up a webserver on your home IP and see if they block that just because it’s on a home IP address. You could get a $5/month VM from Digital Ocean or Vultr and setup a VPN there since the IP wouldn’t be a home IP.
Just don’t try. I’m a student myself and trying to evade the filters gets you into more trouble. That being said, what VPN protocol are you running, PPTP, L2TP, IPsec, OpenVPN?
Thanks for the detailed response, wow, I had no idea it was that bad, I checked the Blue Coat blocklist and when I entered the domain name for my server it said it was a DDNS host, which is true, the network probably stops it right there, before it even tries to reach my home ip. What do you think? Is there anyway around this?
Since I am connecting to the VPN from my phone, using the school’s public wifi, I am not logged into any type of student account, how would they catch me?
OpenVPN, I was considering PPTP but was advised against it due to the extreme security flaws. I am not really concerned with getting in trouble, it’s only a high school, I have never heard of anyone being confronted before.
You could try using your current home IP address in your client OpenVPN and try to connect. But, I suspect the filter is detecting the SSL and rejecting the packets as they’re not going through the school’s proxy.
Oh… wait… hold up a second. Do you have your OpenVPN server configured to use udp (which is the default)? Switch it (and your client config) to tcp. You may have to switch both over to port 80 as well to get around the school’s firewall.
It’s possible but damn hard to do actively, especially going through wifi with a lot of other people around you. They can check your MAC address so I would try and spoof it while you are doing your tests for plausible deniability, inside a VM.
Really? I pay for a VPN service and I use it at school simply because they block Github, Gitlab, and Sourceforge, which I need to access code samples for programming projects. I know bypassing the filters is against the Student Code, but would I really be suspended or just get a slap on the wrist for doing actual work at school?
Just tunnel through SSH (maybe even on a different port). There is no way a school would block that. They may have just blocked your IP if it is a high school though.
I’ve only used one purely for remote access, never to evade filters (unless in your case you have a legit reason). If you have a good rap with your teachers (in my experience) you should be ok.
Really? How did they even know it was you? What I’m doing is just on the school public wifi on my phone so I’m not logged into any student account or anything.