VPNs and firewalls have a curious relationship. Firewalls exist to deny access to networks and prevent infiltration of malicious content. However, VPNs can effectively bypass firewalls. But how do they do it? VPNs construct tunnels, and they use them to go through a firewall. However, not all are easy to circumvent. In this article, we will study the possibility of VPNs subverting firewalls and answer the question: “Can a VPN bypass a firewall?” But before we do that, you must learn more about firewalls and VPNs separately.
Luckily, we already have relevant materials in our comparison article titled “VPN v/s Firewall.” Firewalls are more than a preventive measure against insurgents. They also work as the entry and exit relay of a network to control not only traffic but also monitor it. However, VPNs are also necessary. Sometimes the use of a firewall isn’t justified. Then the only recourse before the user is to employ a VPN powerful enough to circumvent filtering and subvert the firewall.
What is a VPN?
A virtual private network (VPN) is a tool that focuses on privacy and security. It allows the user to create a tunnel to a remote server location. VPNs mask IP addresses and hide the online activities of users. Hence, those who advertise them focus on their ability to make users almost anonymous on the net. Furthermore, VPNs also ensure the safety of your data traffic as they encrypt any data moving through the tunnel. Lastly, there is no limitation regarding the physical location of VPN servers, as users around the globe can easily connect to the network by using VPN clients.
Hence, a VPN has numerous uses based on its functionality, such as:
- Ensuring the safety of data traveling on the network
- Providing a secure platform to users of torrents and P2P data transfer
- Accessing geo-blocked content by spoofing IP addresses
- Bypassing censorship in any authoritarian government
- Preventing ISP throttling
What is a firewall?
A firewall is a barrier that protects a network from receiving unwanted information or leaking sensitive data to outsiders. It includes infiltrations of malicious elements and suspicious attacks. Thus, a firewall restricts or blocks access to web content the network admin deems harmful. Today, many parties use firewalls, including private enterprises and public institutions. Even your streaming website incorporates firewalls to protect content targeting a particular region.
What is DPI and can a VPN circumvent it?
Our readers must be wondering why we are talking about DPI (Deep Packet Inspection)? It is not a firewall per se but an inspection technique. But since our topic contains bypassing firewalls, we must focus on it. The technique gets deployed within to strengthen security; Especially to enhance prevention against VPNs. A typical VPN can’t bypass a firewall with DPI. One of the most famous examples is the Great Firewall of China. It deploys DPI against VPN intrusion to block access.
DPI checks the content of all packets passing through the firewall to figure out the source and destination. If suspected packets with encrypted headers enter the network, it isolates and counters them according to the policies. As for whether a VPN can overpower DPI, the answer depends on the specific technical enhancements it has or doesn’t have. VPN requires exclusive ports and security protocols on top of obfuscation technology to bypass DPI.
Can a VPN bypass a firewall?
Now that we have cleared the topic of DPI, we can concur that VPNs can bypass a firewall. They can also avoid all types of firewalls, commercial or national. Although, we do not endorse doing so. Technically speaking, unless the firewall targets specific traffic, any VPN can fool it by hiding IP addresses and encrypting data traffic. But how do VPNs do so? You’ll find out now.
How VPNs bypass a firewall
To be precise, VPNs do not exactly “bypass” firewalls but tunnel through them. When you use a VPN, it spoofs your IP address. The firewall that prevents access to foreign IP won’t stop your connection as the VPN has fooled it into believing that your IP is not foreign (or against set parameters). To understand the process, let’s explain it in detail:
- Your computer initiates a connection at your behest.
- It creates and sends an HTTP request to the target website (destination).
- Now, the data packet gets wrapped into a TCP packet.
- Afterward, it gets sent towards the IP layer for routing, with the destination IP address being resolved.
- Then, the IP layer decides where to send the packet with the help of routing tables.
- Typically, the first hop is your router, the default gateway.
- The router then wraps the packet into an IP datagram.
- It puts the MAC address of the next hop and sends it on its way.
But if you are on an active VPN connection, your computer doesn’t initiate the request. Rather, your VPN client connects to a remote server, and the server contacts the target website. The best part is that the packets get encrypted into a different TCP packet, which is seemingly invisible to the IP layer routing. Due to this packaging, the VPN packets tunnel through a firewall.
Ways to ensure VPN can circumvent firewalls
Again, not all VPNs can bypass firewalls, at least not reliably. Thus, one shouldn’t rush into employing a VPN without heeding certain considerations. These are the features that make this technology capable of facilitating firewall circumvention. These attributes are:
- Obfuscation — Obfuscation technology allows VPNs to mask their traffic. Although they are sophisticated servers, sometimes VPNs employ specialized protocols that facilitate obfuscation. Obfuscation scrambles your traffic to appear as non-encrypted. Hence, high-tech packet inspection techniques such as even DPI can’t spot it.
- Strong protocols — Speaking of bypassing firewalls, one shouldn’t neglect the importance of security protocols. Although there are numerous VPN protocols available on the market, only a few are truly capable of bypassing highly complex firewalls. Such protocols include IKEv2/IPsec, SSTP, and L2TP/IPsec. OpenVPN can also do it. But since it is the most popular protocol out there, firewalls targeting VPNs employ countermeasures.
- SOCKS5 — SOCKS5 proxy works on an application level, but proxies do not encrypt data. Thus, inspection techniques like DPI won’t work on SOCKS5. But sadly, only a few mainstream VPNs provide this feature.
- Browser extensions — VPNs with browser extensions can remain hidden right under the nose of management and silently allow users to bypass local firewalls. Although they are not that powerful, they do not need administrative permission to install.
- Large server network — Quality trumps quantity. But when it comes to this, a VPN requires numerous servers. If your VPN has numerous servers around the firewall location, it is easier to route data.