Firewalls set network boundaries and control flowing traffic. They are designed to protect private networks from viruses, Trojans, worms, and other types of attacks. But they can also prevent you from accessing content on particular sites.
In this article, we are breaking down 14 known methods for defeating firewalls and other Internet filters. However, we are focusing on VPN, so you will find extensive information about this topic in the first half of the article. It is followed by the 13 remaining methods in the second half, designed to provide alternative solutions in case it is impossible to use VPN.
We went through a bunch of checkpoints that you can see below (click to jump):
- How a firewall works
- Can VPNs bypass firewalls?
- How VPNs get past firewalls
- Why you need a VPN to bypass firewalls
- About VPN firewalls
- About VPN port forwarding
- Circumvent VPN blocks with obfuscation
- VPN protocols for bypassing firewalls
- How to bypass firewalls with VPN
How to bypass firewalls without VPN in 13 ways
- 1. Connect to the Tor anonymous network
- 2. Circumvent online censorship with Lantern
- 3. Switch to Psiphon for unrestricted Internet access
- 4. Apply a SOCKS5 proxy configuration
- 5. Secure web connections with SSL tunneling
- 6. Sneak into guest networks with DNS tunneling
- 7. Terminate the guilty background process
- 8. Use CMD to access sites by IP address instead of domain
- 9. Shift to your mobile data plan
- 10. Remotely connect to your home computer
- 11. Get your router ready for port forwarding
- 12. Set up Nmap for firewall subversion
- 13. Configure Metasploit for reverse TCP tunneling
- In conclusion
How a firewall works
A firewall is a security system in charge of keeping networks safe from untrusted Internet connections. It monitors, controls and filters incoming and outgoing connections by following predefined rules. In general, a firewall isolates an internal system from the public Internet to prevent malware attacks. In this respect, the firewall is considered the first line of defense against malware. It can be implemented into a network system through software, hardware, or a combination of both.
Assuming that you run Windows, you can access advanced firewall settings to get a better idea of how to set up inbound and outbound rules. It is possible to control the web access of installed applications, prevent outside computers from connecting to your network on TCP, UDP and any port, as well as to create a list of targeted local or remote IP addresses. Anything is possible.
Can VPNs bypass firewalls?
Yes, if two conditions are met:
- The VPN service is configured correctly
- Remote machines permit secure connections
Virtual private network tools create a secure tunnel for sending and receiving network traffic to encrypt your data. If you attempt to establish a connection to a remote computer and if the machine allows only secure connections, then you are all set. In turn, you can get past firewalls and other Internet filters to reach blocked sites, such as pages restricted by your school, office, or government.
Whatever links you click, sites you visit, files you download, or conversations you have will remain confidential, locked up in the secure tunnel. The VPN provider hides your IP address and replaces it with a fake IP. Because it reroutes all your data to its VPN servers, it is interpreted as the source of the traffic.
Third parties cannot see your online activities. Even if a hacker manages to acquire your info, they would only see scrambled junk and would not be able to crack the code. The only party that can see what you do in the encrypted tunnel is the VPN provider. Thus, it is critical to carefully research many options so that you choose a VPN service that does not monitor and log your activity.
How VPNs get past firewalls
Here is how a firewall works without VPN: when you want to visit a specific site, you send an HTTP request through a data packet. The packet is enfolded in a TCP packet, and the domain name of the site is translated to an IP address using a DNS server.
The TCP packet is sent to the NAT router, which analyzes the request based on the IP address and routing table. Finally, it puts the TCP packet into an IP datagram, attaches the MAC address of the next node, and forwards it until it reaches the Ethernet network and destined computer. The firewall does its job at the NAT router level.
And here is how the process is changed by VPN: a VPN client sets up a connection to the VPN server and gets involved in the routing table of the NAT router (where the firewall operates). As a result, the NAT router directs your traffic to the VPN client instead of the public Internet.
Once the packets reach the client, it puts the IP datagram into a new TCP packet so that the NAT router cannot decipher the original container. Then, the device forwards the new packet to the VPN server, which unwraps it and sends it to the intended destination.
A VPN service manages to bypass a firewall thanks to the secure tunnel it creates when wrapping the IP datagram into a new TCP packet. The new TCP container cannot be subjected to the firewall rules because it cannot be decrypted and analyzed. Therefore, the packet does not go through security checkup but immediately reaches the VPN server instead.
Why you need a VPN to bypass firewalls
Here are some scenarios that might require you to turn to a security solution like VPN to penetrate firewalls and other Internet filters:
- Your school, university or campus network is blocking access to social media sites because they distract the attention of students.
- The system administrator at your office is restricting the network and preventing employees from accessing any sites unrelated to the business.
- You are living or traveling to a country with strict laws against VPN usage, such as China or Russia.
- You are a journalist, whistleblower or political activist who fears the repercussions of your government.
- Your ISP is throttling your bandwidth without discrimination or because you are carrying out high-demanding online activities, like throttling or streaming.
About VPN firewalls
A VPN service designed to bypass firewalls should not be confused with VPN firewalls. Instead, a VPN firewall is a type of security system specially made to protect internal networks from any suspicious users or parties that could exploit VPN connections. The main goal is to allow only genuine VPN traffic to get past the firewall. Usually, a firewall is installed at the front or back of a VPN server.
About VPN port forwarding
Some VPN providers use a NAT firewall to block malicious connections from reaching your computer. It is a useful anti-malware technique that protects the integrity of your files. Unfortunately, it can cause problems.
Part of the connections might not be dangerous. For example, the firewall can prevent remote users from downloading torrents from your hard drive. Similarly, it can inadvertently stop your friends from joining multiplayer games you are hosting through a virtual private network.
However, if the VPN provider also features port forwarding mode, it can be used to change the route of inbound connections and to bypass your firewall.
Circumvent VPN blocks with obfuscation
You might stumble upon a situation where it is impossible to use your VPN service to access sites. Let us assume that you are planning a personal or work-related trip to a highly restrictive country, like China or Russia. You should know that most VPN services do not operate there, due to government censorship. Therefore, it is crucial to prepare for such severe scenarios.
Luckily, VPN blocks can be resolved with obfuscation (also known as cloaking). It is an advanced VPN technique that hides the fact you are using a virtual private network service, making it look like ordinary HTTPS traffic. It is the last point of defense against firewalls and other Internet filters configured to block VPN traffic.
VPN protocols for bypassing firewalls
The efficiency of a VPN app to bypass firewalls mainly depends on the protocol. Firstly, you must decide which VPN protocol to use. Secondly, you have to make sure that your firewall permits its traffic. Here are our suggestions:
OpenVPN is the perfect solution
The OpenVPN protocol is widely regarded as the best for the job since it brings the perfect balance of security and speed. It supports up to 256-bit AES encryption, 2048-bit RSA authentication, and 160-bit SHA1 hashing. Besides, it allows IPv6 connections as well as both TCP and UDP protocols (TCP is better for bypassing firewall). OpenVPN is so popular that several VPN services offer support for this protocol only.
The following ports can be unblocked for OpenVPN:
- UDP: 53, 1194, 1197, 1198, 8080, 9201.
- TCP: 80, 110, 443, 501, 502.
Because there are so many port variants, OpenVPN traffic is indistinguishable from typical HTTPS traffic, making it a perfect candidate for getting around firewalls and other Internet filters.
SSTP is another excellent choice
SSTP is one of the most robust protocols as far as security is concerned. It uses military-grade levels of authentication (2048-bit SSL) and encryption (256-bit SSL keys). It equals OpenVPN when it comes to security but uses only one protocol: 443 over TCP. Subsequently, firewalls have a difficult time refusing VPN connections made through SSTP because traffic is disguised as regular HTTPS traffic.
SSL for VPN browser extensions
SSL connections are established through port 443 over TCP (HTTPS traffic), same as OpenVPN and SSTP. It means that it is a reliable protocol for bypassing firewalls. SSL is an excellent choice when using VPN browser extensions. In addition to concealing your IP address and encrypting your traffic, it protects you from any phishing attempts when visiting insecure, HTTP websites.
Other protocols are not up to the task
Although IKEv2 facilitates great speed and excellent security (in combination with IPSec), it can be effortlessly blocked by firewalls via the NAT interface since it uses UDP with port 500. L2TP suffers from the same firewall issue because it uses UDP 500.
PPTP can be quickly rejected by firewalls, as well. In fact, L2TP and PPTP have a poor reputation among VPN providers due to high-security risks. They are deemed as obsolete protocols, and some VPN services have already dropped support.
To find out how to check your system for open ports and how to open ports for your favorite VPN protocol, check out this article (at Allow VPN passthrough by opening ports).
How to bypass firewalls with VPN
- Select a VPN that supports OpenVPN, SSTP, or both protocols.
- Download and install the VPN client.
- Configure VPN settings to enable OpenVPN over TCP.
- Enable obfuscation if you have to make your VPN connection undetectable.
- Connect to a VPN server and enjoy secure browsing.
We suggest using the OpenVPN protocol. There are many services to choose from. Although they might feel the same, the VPN products are quite varied. The most significant difference is between free and premium VPN.
We understand why it is so tempting to opt for a free virtual private network application, especially since you cannot make a one-time payment for a VPN lifetime subscription. It is fine to test a free VPN at first but only to get familiarized to the idea of using such a tool. Nevertheless, we strongly recommend against free VPNs in the long haul due to significant privacy risks.
Our VPN recommendations
If you do not know where to even begin exploring the VPN market, you can put your faith in us since we have tested, reviewed and rated over 30 virtual private network services.
ProtonVPN (review here) features support for the OpenVPN protocol only. However, UDP is the default option. To maximize your chances at bypassing firewalls, it is necessary to switch to TCP. To do this, follow the next steps:
- In the main window, click the hamburger button in the upper-left corner to open a menu and go to Settings.
- Select the Connection tab from the Settings window, click the drop-down menu next to Default Protocol, and pick TCP.
- Exit Settings and connect to any VPN server from the list.
- Enjoy secure browsing and bypass firewalls.
The free edition of ProtonVPN allows one simultaneous connection and gives you only three countries to connect to VPN servers. However, it comes with unlimited bandwidth. Also, you might be able to take advantage of the full features of the premium version for a limited trial when using the service for the first time.
Speedify (review here) includes only the OpenVPN protocol. But the default option is set to Auto. Therefore, you should change it to TCP to increase your shots at penetrating firewalls. Just follow these steps:
- In the main window, click the settings button to open a new area.
- Scroll down until you spot and click Session to expand this section.
- In Session, scroll down until you see Transport Mode, then select TCP.
- Exit the configuration panel, then connect to any VPN server from the list.
- Take advantage of private browsing and bypass firewalls.
In free mode, Speedify caps your monthly data traffic to 5Gb. On top of that, you can connect from only one device at a time. On the bright side, you can make use of all VPN servers in all countries available to premium members.
TunnelBear (review here) puts only the OpenVPN protocol at your disposal, and it is set to UDP by default. It means that you should take a quick tour of the configuration panel and choose TCP. Follow these simple instructions:
- In the main window, click the settings button from the vertical menu on the left side.
- In the General tab of the Settings section, click the slider to activate TCP Override.
- If you must conceal the fact that you are using VPN, go to the Security tab and activate the GhostBear setting.
- Go back to the central panel, select a VPN server, and connect.
- You can now surf the web securely and evade firewalls.
The free edition of TunnelBear permits only 500Mb of network bandwidth every month. However, you can connect to all VPN servers like premium users.
When using ExpressVPN (review here), you can opt for OpenVPN, L2TP, or PPTP. We recommend staying away from L2TP and PPTP, though (even their descriptions in the settings panel say “weak security”). The default protocol is Automatic, but here is how you can easily set it to OpenVPN TCP:
- In the central window, click the hamburger button in the upper-left corner to open a menu, and select Options.
- In Options, go to the Protocol tab, select TCP – OpenVPN, and click OK.
- Connect to a VPN server location from the list.
- Enjoy encrypted browsing and bypassing firewalls.
OpenVPN is the only protocol supported by NordVPN (review here) since the company dropped support for L2TP and PPTP. But the recommended protocol for VPN connections is set to UDP, so you should switch to TCP to face no issues when attempting to circumvent firewalls:
- The default window mode of NordVPN is set to Servers. Go to Settings by clicking the button on the upper blue bar.
- In Settings, go to the Advanced area and select TCP that is next to Protocol.
- If you also need to hide the fact that you are using VPN, go to Advanced and turn on Obfuscated Servers.
- Return to the Servers section and connect to a VPN location from the list.
- Experience private browsing and mislead firewalls with ease.
CyberGhost VPN (premium)
CyberGhost VPN (review here) includes OpenVPN, IKEv2, and L2TP. We suggest using OpenVPN. The default protocol is set to Automatic selection, so you have to make a few tweaks to be able to circumvent firewalls successfully.
- In the main window, click the settings button on the upper-right corner to open a menu and click Settings, or click the yellow label button.
- In Settings, go to the Connection tab, click the drop-down menu right below VPN protocol, and select OpenVPN.
- Without leaving the Connection tab, locate the Use TCP instead of UDP option, and click its slider to activate the feature.
- If you are having trouble with the connection, you can also enable the Use a random port to connect option.
- Return to the main menu and connect to a server.
- Have fun with encrypted connections and getting past firewalls.
How to bypass firewalls without VPN in 13 ways
If it is not possible to install and use a VPN service to get around firewalls, then you can explore these alternative options:
1. Connect to the Tor anonymous network
Tor (The Onion Router) is an anonymous network that features multiple layers of encryption. It gives you the possibility to surf the web anonymously, get past firewalls, and take advantage of unrestricted access with the aid of the Tor Browser.
Specially developed to evade government censorship, Tor can hide the fact you are using its anonymous network through bridges. Therefore, it helps with unblocking sites in countries that block Tor. NordVPN has a feature called Onion Over Tor, which lets you use the VPN service in conjunction with the anonymous network. In fact, you can use VPN and Tor together to improve your online privacy.
2. Circumvent online censorship with Lantern
Lantern is a free application that focuses on circumventing Internet censorship and overcoming firewalls. Since it is a peer-to-peer tool, it depends on the number of trustworthy users residing in countries with free online access. Lantern lends their bandwidth to other users living in regions with restricted Internet, encrypting traffic.
However, it is not an anonymity tool like Tor. Lantern can be downloaded on Linux, macOS, Windows, and Android. It is incredibly intuitive, wrapped in a simple graphical interface.
3. Switch to Psiphon for unrestricted Internet access
Similar to Lantern, Psiphon is dedicated to people who want to enjoy Internet freedom and bypass firewalls by getting rid of censorship. What sets it apart from other software solutions is that it uses proprietary technology that combines VPN with HTTP proxy and SSH.
It masks your IP address and comes with upstream proxies that can be used to unlock restricted networks at school or work. In addition to Lantern and Psiphon, you can try Freenet, Ultrasurf and I2P to achieve similar effects.
4. Apply a SOCKS5 proxy configuration
SOCKS5 proxy servers can help you evade firewalls by hiding your IP address. However, unlike VPN, Tor, Lantern and Psiphon, they do not encrypt your traffic. It translates to better speed that remains unhampered by encryption protocols, ideal for high-demanding tasks like torrenting or streaming. Shadowsocks is an excellent example of a software application based on the SOCKS5 proxy.
5. Secure web connections with SSL tunneling
SSL tunneling is a method used by applications protected by an intranet to request data from the public web using a proxy server with HTTPS on port 8080. Once the proxy establishes the connection, it keeps it alive so that you can exchange data packets with the remote computer. Data transfers are secured by end-to-end encryption, which means that no one can eavesdrop, not even the proxy server that created the SSL tunnel.
6. Sneak into guest networks with DNS tunneling
DNS tunneling means using the DNS protocol to send and receive data. It can sidestep firewalls over open hotspots which require you to log in with a username and password to go online. DNS traffic is typically allowed on these guest networks, so what you have to do is hide HTTP data within DNS traffic to get it past the firewall.
Setting up DNS tunneling is not as easy as other methods on this list. On top of that, it can deliver slow speeds over public hotspots that already throttle the bandwidth. DNS tunneling requires you to install a third-party tool (like iodine) that sends the DNS requests (with wrapped HTTP traffic) as well as to register and configure a domain.
To test it, you can also prepare a server that receives the DNS requests and provides you with Internet in return. Nevertheless, it is a pretty fun experiment. It teaches you how to configure a portable device that you can carry with you wherever you go and fire up whenever you need to bypass firewalls over guest networks. Check out this article for complete instructions on how to configure DNS tunneling (and how to block such attacks to protect your own guest network).
7. Terminate the guilty background process
Some corporations might not be willing to invest in high-end technology for deploying firewall restrictions over the intranet. Instead, they may resort to cheaper software solutions that are incredibly ineffective at maintaining firewall blocks. In many cases, such tools run a background service or process that can be easily terminated on your machine. But it might not work if you do not have administrative rights.
8. Use CMD to access sites by IP address instead of domain
If it is not possible to access a website by domain name, you can try entering its IP address instead. There might be an issue with the DNS server. To find out the IP address of any domain, you can turn to Command Prompt (in Windows), Terminal (in macOS and Linux) as well as a third-party ping tool like Fing (on Android and iOS).
- To launch Command Prompt, press Win+R to open the Run window, then type cmd and press Enter.
- In Command Prompt, type ping <server> and press Enter, where <server> is the domain name of the site you want to reach.
- Results return the IP address of the domain. For example, if you type ping google.com, the IP address returned by Command Prompt is 126.96.36.199.
- To open the Terminal, open the Go menu, go to Utilities, and double-click Terminal.
- In the Terminal, type ping <server> and press Enter, where <server> is the domain name of the website you want to visit.
- The results show the IP address of the site. For instance, if you type ping google.com, the IP address returned by the Terminal is 188.8.131.52.
- To open the Terminal, click Activities on the upper-left corner of the desktop, then click the Terminal icon.
- In the Terminal, type ping <server> and press Enter, where <server> is the domain name of the site you wish to go to.
- The Terminal exposes the IP address of the site. For instance, if you type ping google.com, the IP address returned by the Terminal is 184.108.40.206.
- Download and set up the Fing app from the Google Play Store.
- Once opened, go to Network and tap Ping.
- In the Ping section, enter the name of the site you want to access and tap Ping.
- The ping results open in a new area, but you can go back and take a look at Recent hosts. It is a section that reveals the IP address associated with each site you pinged.
- Get the Fing app from the App Store.
- Launch the app, tap Network, and go to Ping.
- At Ping, specify the domain of the website you want to reach, then tap Ping.
- The application scans the domain and displays the results in a new section. But you can go back to the previous area and view Recent hosts. You can see the IP address that corresponds to the pinged site.
Once you find out the IP address, all you have to do is copy and place it in the address bar of your Internet navigator. If the site loads now, it means that you have bypassed the firewall successfully.
9. Shift to your mobile data plan
If you keep failing in your attempts to bypass the firewall, you must exit the network to avoid its restrictions. To do this, you can enable tethering on your smartphone or tablet so that you can use your mobile data plan. However, this is not a convenient solution for users subscribed to mobile carriers with expensive data plans.
Mobile tethering is the last resort. It should not be used for streaming, torrenting or other resource-demanding tasks. If you do, you will quickly consume the bandwidth and then pay a lot of money after going over the limit. Tethering can be done via Wi-Fi, Bluetooth or USB.
10. Remotely connect to your home computer
Establishing a remote connection to your home workstation is a foolproof method for evading the firewall of your office. It also works if you are connected to any public Wi-Fi, such as hotels, restaurants, schools, college campuses, and libraries. The concept behind this is quite simple: your home PC does not have any network restrictions, so you can connect to it and use your own Internet.
To make this happen, it is necessary to prepare your desktop before leaving home. You can use the built-in Windows feature for Remote Desktop Sharing (RDP), the integrated macOS feature for Screen Sharing, or a third-party application like TeamViewer. The setup instructions are swift and intuitive.
11. Get your router ready for port forwarding
Also known as SSH tunneling, port forwarding is a technique used to redirect Internet traffic to another computer. It comes in handy for bypassing firewalls and other Internet filters to access your home computer or server from anywhere in the world. Plus, you can provide computer access to other users for torrenting and multiplayer gaming. At the same time, you can gain entry to your office workstation when you are home or traveling.
Some VPN services feature port forwarding, but you can also set it up on your router. To find out how to open and forward ports on any router, check out this site.
12. Set up Nmap for firewall subversion
Nmap is a free and open-source command-line tool designed for networking scanning. Available for Linux, Windows, macOS and BSD, it can be used alongside Zenmap (provides a graphical interface). Nmap can discover hosts in a network and scan ports, as well as bypass firewall rules using various techniques (more or less effective).
These firewall subversion methods involve finding exotic scan flags, manipulating source ports, launching IPv6 attacks, and spoofing MAC addresses, among others. Take a look at this guide on Nmap’s site to find out more. However, learning how to use Nmap might take some time if you are not familiarized with advanced networking utilities.
13. Configure Metasploit for reverse TCP tunneling
Metasploit is a popular penetration testing package for networks. Available only for Linux and Windows, it can be used to find security vulnerabilities, thanks to anti-forensic and evasion utilities.
If you are patient enough to learn how to use Metasploit, you can get past firewalls by putting together complex rules for manipulating and filtering data packets at the router level. To do this, you can use reverse TCP tunneling to forward all ports via brute force.
Taking everything into account, VPN services are trustworthy tools to help you bypass firewalls and circumvent Internet censorship so that you can access websites freely. The steps necessary for making this happen are not challenging, but a bit of research is required to choose the perfect VPN service.
As pointed out, there are a lot of backup measures for sidestepping firewall boundaries. And we suggest preparing your computer or mobile by exploring multiple alternative solutions. This way, you are equipped with all the right tools to help you get past challenging scenarios involving Internet restrictions. However, at the end of the day, VPN apps remain the most reliable option.