You went too hard man. This is a school, not a f500. Even then, you would only be able to see the trafffic headers to the con proxy host unless you you were mitm-ing the vpn. You are talking about an on domain device using your ssl cerrs, he is talking about an tablet that isn’t domain joined.
You explanation appears to state a misconception. A properly configured VPN is an encrypted tunnel between the client (your pc, tablet, or phone) and the vpn server. Anything done through that tunnel, once the connection is established, is more-or-less invisible the to network you use to connect to the vpn; By this I mean, they know you connected to the VPN and they know how much data is flowing through it after the encryption is applied. They don’t know what the unencrypted data is, nor do they know what the real upstream destination for that traffic is.
Netflix is not allowed to be shown in a classroom due to copyright claims, there are a few special documentaries that are allowed but that is it.
OP is only looking for privacy from their employer, not the government or someone looking to sue.
Any decent VPN will provide DNS
-
IPsec is almost certainly blocked, so it’s probably not a realistic option
-
With the amount of data you’d be talking about, it’d still be pretty obvious to anyone that cared to look. There are legit reasons to have gigabytes of data transfer to an SSL website, but unless OPs job role requires downloading tons of stuff, it’d look suspicious.
-
A lot of NGFWs keep track of popular VPN server IP addresses, so it’d show up as VPN traffic based on the destination, even though the firewall may not be able to read the traffic.
No, that would actually make it even simpler to block OP by denying any traffic to that address. Like the guy above said, the school’s net admins could simply block all VPN traffic across the whole student network at the protocol level and they often do, but there are still ways to further encapsulate the traffic and dodge the filter. They’re not as simple as installing Norton 360, though.
If their workplace doesn’t have any rules regarding tor, they could get away with it.
Would you bet your job on it?
Generally, you COULD put your employment at risk for violating acceptable use policies, but it depends on how the policies are written; They could feel justified in terminating your employment. But then again, depending on how the policies are written, you could have legal recourse to sue them for wrongful termination and lost work damages.
These parts are very much depending on the “legalese” in those use agreements and acknowledgements you agree to before/during use.
If I valued my employment I wouldn’t risk it. But the rope they give you is for your use only, and if you choose to hang yourself with it, that is your own personal responsibility. 
Well, that’s why TOR bridges exist.
And also using DPI they can just altogether block any SOCKS packets. So a bridge like meek is the only way.
It tricks it into thinking that you are accessing something like let’s say Microsoft Azure, when you are actually accessing tor.
Can confirm, we pay $1400USD/m for 200/200 dedicated fiber
This is spot on. Also, because of how many cloud solutions work, the network might not be setup to prioritize the elearning platforms at all. In my experience QOS is generally setup to prioritize UDP traffic, and I know certain cloud applications run on TCP exclusively.
You can download Netflix content for offline viewing too.
Guest network only works if it is a separate internet connection. That’s what we do at my office - our main network (and WiFi) are on one dedicated data line from ISP-Alpha. Our guest/public WiFi is on a data line from ISP-Bravo (that also serves as backup if -Alpha goes down). I’ve got it set up so that only company devices are permitted on the main network and NO company devices are permitted on the guest network (in the event there is a need I’ll white list their laptop temporarily). Users that want to stream can use their own device (tablet, phone, personal laptop) on the guest network. It’s cut down on the issue tremendously.
Tell them about the SSL decryption on domain with every computer they log into now. Really scare the hell out of them.
Sometimes its better to allow employees and students to think they are getting away with stuff to see a bigger picture of whats going on at certain sites in the company.
Block tor? But what about bridges such as meek?
And also specifically how would that work?
Their BYOD policy probably already has a record of the MAC address of every personal device so that it can be whitelisted.
If someone is using a vpn to get round firewall filters or to obscure their activity, that would get an instant ban on my network. There’s no valid reason for it on a work network, if something is blocked and required for your job, then the block can be reviewed.
Using vpn In that network might be against said accept able use policy. We dont know since we have no access to read it. Only op can read it and comment on that.
If their network management is worth hes salary, they will soon notice vpn traffic on network and start figuring it out where it comes from. After all it could be anything not good. Malware, trojan, spyware, highjacked computer.
As I said, here in this school district, it’s not like that… Internal network and Public/Guest networks are both filtered in house before going WAN. Also, Public/Guest is far more restricted.
If it was a corporate or government provided device the machine itself would have it’s own VPN and would block others, but blocking a VPN on someone’s personal device could be an issue for lawyers. An issue that I wouldn’t want to be involved in.