Why does my school's wifi work after midnight with a VPN on?

My school’s wifi stops working after midnight. If a VPN is connected before midnight, the connection stays and then I can continue using the internet as normal. Why does this happen?

What I was thinking was that the VPN uses a different port to communicate to the VPN server rather than 80 and 443 and only those are the ones blocked after midnight. Is that possible?

They likely halt new connections, but don’t terminate existing ones.

Not a great system.

They’re more than likely using firewall rules which have time based restrictions on them.

However, the rulebase is generally only checked when you initiate a connection, non SYN packets will be checked against the state table to see if they are already permitted, but do not get matched against the policy.

So when you connect up your VPN before midnight it consults the rulebase which says “its before midnight so I will allow this session to be established”, after that it just checks the state table which is just essentially checking “has the been previously allowed”, if you try and initiate a VPN connection after midnight it will bypass the “before midnight” rule (as it’s past midnight) and then get dropped by the default drop rule.

This is only true for stateful filtering devices though.

The wifi doesn’t shut off. Rather, they have some kind of routing rule that goes into place. It probably either shuts off DNS or starts dropping outgoing TCP/UDP requests.

Any VPN will get through shutting off DNS (because you just get DNS over the VPN.) An IPsec VPN (many modern ones) will also get through dropping TCP/UDP because it runs over a non-TCP/UDP protocol, and even a TCP VPN might because you’re not initiating any new connections and often firewalls have a rule (above the drop rules) that says to allow packets with the Established bit set (i.e. connections already in progress.)

Probably a schedule setting only allowing it to be operational during a certain time period.

Its pretty much standard firewall behaviour.

There is a computation overhead for matching every packet to the firewall policy itself. Most firewalls will only match existing flows against the state table.

Checkpoint even has an option that you can set whereby on policy installation it with allows all existing flows, or re-matches flows against the new firewall policy. So you could actually remove a firewall rule from the policy, and still have traffic flowing through the firewall if you do not set it to re-match all connections.

They have a statefull firewall with no proxy avoidance turned on. They should:

A) Never allow you to connect to a VPN in the first place
B) Turn the policy off and not just the WIFI to ensure the sessions table refreshes.

You can absolutely terminate a live TCP connection, so before trying to call me out, do some research.

More than that, WiFi should be turned off entirely during hours where you do not expect to have legitimate usage.

A wifi point that isn’t broadcasting will absolutely terminate a live TCP connection, among other potential solutions.

Please stop. You have no idea what you’re talking about.

Why should a school never allow you to connect to a VPN in the first place?

just refresh the dhcp at 12:01 so only static ips on the network stay on, like printers

Depends on the school. If we are talking k-12 then I am suppressing that for safe kids requirements by law so that your not getting around my web filtering.

If this is college then maybe that’s a bit different as they are not subject to the safe kids policy.

Ah, yeah, I assumed it was a college. I see where you’re coming from now.

What k-12 school would have students there at midnight?

What college shuts off the wifi at night?

Some are used as community centers after hours in the gym. This is not even far fetched.