Virgin Media blocks VPNs
Virgin Media is one of the big four internet service providers (ISPs) in the UK, delivering internet services to 5.9 million homes. The company has a lot of power over the access that the British public has to the World Wide Web.
bestvpn.org has recently discovered that Virgin Media ISP is secretly operating its own block on access to VPN sites. Not only are the websites of VPNs blocked, but sites that review VPNs and promote internet privacy are also quietly banned.
VPNs are not illegal in the UK. In fact, the British government’s foreign office, intelligence services, police services, and military forces use them regularly. There is no law against the usage of VPNs or responsibility on the part of ISPs to block access to them. However, Virgin Media has decided, as a matter of policy, to prevent its customers from accessing VPNs through its network.
The choice of VPNs that are blocked is random. The names and content of the VPN review sites also seem to show no selection pattern.
Which sites are being blocked?
Virgin Media sends back three different blocking messages that users trying to access banned sites will see in their browsers instead of the hoped-for site. These are:
- Web Safe parental control block
- A system SSL error message
- A system connection reset message
The assignment of which banned sites are blocked by which error message is completely random. They also change over time, but always, the visitor sees one of those three blocking messages – never any other.
VPN sites blocked with a Web Safe message
Access to some sites is blocked with the Virgin Media Web Safe parental controls page, which is shown below.
VPN sites blocked by Web Safe:
VPN review sites blocked by Web Safe are:
The Web Safe message is supposedly generated as parental control. Implying that the site was blocked because it contained one of a list of undesirable content types, including pornography. Not all real pornography sites are blocked with the Web Safe message. For example, Pornhub.com is blocked with an SSL error message.
VPN sites blocked with an SSL error message
Error message screens are generated by browsers when they receive an error code back from the web server. Some errors are raised by the browser itself if a problem occurred during the session establishment process.
The SSL error gets raised when the browser discovers that the security certificate of the website is not in order. Chrome shows the following screen under these circumstances.
Access to the following VPN sites is blocked with an SSL error when accessed through Virgin Media:
Only one VPN review site is currently blocked with an SSL error:
The SSL error implies that the site being visited is a scam or isn’t professional because its owner and administrator have failed to keep up the certificate that supplies security on connections. As you will find out later in this report, this is a slur that is untrue.
VPN sites blocked with a connection reset message
A connection reset message is usually generated by a browser when the connection procedure at the beginning of the process to request a web page gets interrupted and the connection gets dropped.
The browser produces an error screen when this problem arises. The message displayed by Chrome is shown below.
The following VPN sites get blocked with the connection reset message.
The following VPN review site is blocked by the reset condition:
The reset error should be a very rare occurrence. There is no way a connection should get dropped regularly to so many professional websites.
VPN sites not blocked by Virgin Media
The mystery over how Virgin Media selects the sites that it will block is deepened by the VPN sites that it doesn’t block. If Virgin Media wants to prevent all of its customers from subscribing to a VPN, why doesn’t it block all of the VPN websites in the world? It blocks a few VPN review sites but overlooks a long list of others.
The VPN review sites that aren’t blocked are impacted almost as severely as those rivals that can’t get their sites delivered to the general public. This is because the top two sites that all VPN review sites recommend are blocked. These are ExpressVPN and NordVPN. Many of the other top VPNs in the world are also blocked.
Anyone visiting a VPN review site that isn’t blocked will be constantly frustrated when they try to follow the links through to the sites of the best VPNs.
Here is a list of VPNs that Virgin Media does not block the websites for:
The following sites that contain VPN reviews are not blocked by Virgin Media:
It could simply be that Virgin Media hasn’t gotten around to blocking these sites yet. The list of sites that are currently blocked includes the most successful VPNs and VPN review sites in the world.
Investigating Virgin Media
As a Virgin Media customer and an expert in VPNs, as soon as I received blocking error messages, I turned on a VPN. With the VPN connection active, those websites that appeared to have connection or SSL problems suddenly became available. VPNs are well known as a method to bypass system blocks, such as the Web Safe system.
To check whether this error was being caused by my computer, I turned off the data access to my phone, connected it to the house Wi-Fi, and tried one of the problematic sites. It was blocked. I then disconnected from Wi-Fi, turned on the data plan, and tried again. The connection went through.
This told me that the problem wasn’t with those sites that couldn’t be reached; it wasn’t my computer or phone; it was Virgin Media causing the problem.
Why does Virgin Media block some VPN sites?
There seems to be no pattern to the blocking practice of Virgin Media. The five most successful VPNs in the world that are recommended by VPN sites more than the others are:
- Always evades internet control in the PRC
- Keeps ahead of the Netflix VPN detection algorithm
- Benchmark tests show excellent speed
These are all blocked by Virgin Media.
HideMyAss, TunnelBear, GooseVPN, VPN Area, PureVPN, Windscribe, and PrivateInternetAccess are also frequently recommended and have high customer satisfaction ratings. Of these, all are blocked, except for PureVPN and VPN Area.
One possible reason for the block on VPNs is that they hide access to torrent sites. Virgin Media blocks access to all of the prominent torrent index sites, such as The Pirate Bay.
However, all VPNs allow access to torrents, not just those that Virgin Media has decided to block. Some of the sites not blocked by Virgin Media, notably TorGuard, VPN Area, and VyprVPN, prominently advertise their services for unblocking torrent sites.
The same story occurs with the review sites. Yes, the blocked sites feature articles on using VPNs for torrenting, but so do all of the sites that aren’t blocked.
Investigating Virgin Media blocking techniques
I contacted NordVPN to see whether the company realized that they were being blocked from advertising their services to around a quarter of all internet users in the UK. Mauricio Rubio of the Customer Success Team told me: “We are aware that some of the ISPs tend to block VPN websites or even the servers. Unfortunately, there is not really anything to resolve this issue.”
Repressive governments, such as those in China and Iran, are well known to block VPNs. In some countries, such as Russia, VPNs are illegal. However, neither is the case in the UK. Other major ISPs allow access to VPN sites. This is not an official government policy; it is a decision taken by Virgin Media.
I asked Mr. Rubio to tell me which other ISPs he knew were blocking VPN access. However, he didn’t want to say. What he did tell me, however, was the method that most blocking ISPs use to prevent access to certain sites. That method is a DNS sinkhole.
What is a DNS sinkhole?
“DNS” stands for “domain name system.” It also stands for “domain name server.” The domain name system translates the web addresses that internet users type into a browser into the actual address of the server that hosts the code for that site.
When you enter an address into your browser or click on a link, the first thing the browser does is send a request to a domain name server to get the address it should go to for the site. Every ISP decides where to direct DNS requests. Virgin Media has its own.
A DNS sinkhole is also called a blackhole DNS. In order to block access to certain sites, the Virgin Media DNS server doesn’t omit an entry for the banned site. The site has a record there. However, instead of giving the correct internet address for that site’s web address, it returns an address that isn’t associated with any computer.
The Virgin Media blocking method
I checked the DNS entries for NordVPN.com (blocked by Web Safe), bestvpn.org (returns an SSL error), and ProtonVPN.com (connection reset error). The results of queries to the Virgin Media DNS server gave the following results.
Every computer on the internet must have a unique address, which called an IP address. As you can see from the illustration above. My DNS queries for three separate sites returned identical IP addresses.
I entered the 126.96.36.199 IP address into my browser’s address bar. The request did not receive a response. That means that the destination does not exist.
I checked who the owner of the address 188.8.131.52 is with an online IP lookup. The owner is Virgin Media. So, Virgin Media’s DNS server gives the same address for all of those blocked VPN sites. That address is owned by Virgin Media and leads nowhere. This is a classic DNS sinkhole.
How to avoid a DNS sinkhole
Fortunately, if you specify a DNS server in the network settings of your computer, that setting overrides the DNS choice of your ISP. That is, your browser will use the DNS server you nominate. If none is set, it will use the DNS server of the ISP.
Cloudflare offers a free DNS service. The address of its server is easy to remember: 184.108.40.206. To define the DNS server in the network settings, implement the following steps.
Click on the Wi-Fi symbol in the system tray of your desktop. Click on Network and Internet Settings.
In the Network Settings screen, click on Change adapter options. This opens the Network Connections list.
Right click over the icon that represents your Wi-Fi connection. Select Properties in the pop-up menu to get the connection properties window.
Click on Internet Protocol Version 4 (TCP/IPv4) and press the Properties button. This opens an Internet Properties window.
Look to the bottom half of the Internet Properties window and press the Use the following DNS server addresses radio button. Enter 220.127.116.11 and 18.104.22.168 into the two address fields. Check the Validate settings on exit box. Press the OK button to close the window and press the Close button in the Wi-Fi Properties window.
Check your new DNS settings
After naming a DNS server, try to access those sites blocked by Virgin Media. They should work. The DNS lookup output shown below reruns the earlier queries I performed. This time, the queries return the correct IP addresses. The sinkhole address 22.214.171.124 has gone.
Virgin Media problem
Virgin Media is owned by Liberty Global, which is the largest broadband internet service outside of the USA. It is possible that other Liberty Global divisions are using the same DNS sinkhole trick to block access to VPN sites.
I am only able to check my own ISP. Have you experienced problems similar to the blocks I outlined about? Try nominating a DNS server in your network settings. If this fixes the problem, leave a message in the Comments section below and tell the community which internet service provider you use.