My school’s wifi stops working after midnight. If a VPN is connected before midnight, the connection stays and then I can continue using the internet as normal. Why does this happen?
What I was thinking was that the VPN uses a different port to communicate to the VPN server rather than 80 and 443 and only those are the ones blocked after midnight. Is that possible?
They’re more than likely using firewall rules which have time based restrictions on them.
However, the rulebase is generally only checked when you initiate a connection, non SYN packets will be checked against the state table to see if they are already permitted, but do not get matched against the policy.
So when you connect up your VPN before midnight it consults the rulebase which says “its before midnight so I will allow this session to be established”, after that it just checks the state table which is just essentially checking “has the been previously allowed”, if you try and initiate a VPN connection after midnight it will bypass the “before midnight” rule (as it’s past midnight) and then get dropped by the default drop rule.
This is only true for stateful filtering devices though.
The wifi doesn’t shut off. Rather, they have some kind of routing rule that goes into place. It probably either shuts off DNS or starts dropping outgoing TCP/UDP requests.
Any VPN will get through shutting off DNS (because you just get DNS over the VPN.) An IPsec VPN (many modern ones) will also get through dropping TCP/UDP because it runs over a non-TCP/UDP protocol, and even a TCP VPN might because you’re not initiating any new connections and often firewalls have a rule (above the drop rules) that says to allow packets with the Established bit set (i.e. connections already in progress.)
There is a computation overhead for matching every packet to the firewall policy itself. Most firewalls will only match existing flows against the state table.
Checkpoint even has an option that you can set whereby on policy installation it with allows all existing flows, or re-matches flows against the new firewall policy. So you could actually remove a firewall rule from the policy, and still have traffic flowing through the firewall if you do not set it to re-match all connections.
Depends on the school. If we are talking k-12 then I am suppressing that for safe kids requirements by law so that your not getting around my web filtering.
If this is college then maybe that’s a bit different as they are not subject to the safe kids policy.