The UK government wants to restrict VPN use. The House of Lords has passed an amendment to the Children’s Wellbeing and Schools Bill that would “prohibit the provision of VPN services to children.” A public consultation launched on 2 March asks whether age verification should extend to VPN services. GCHQ is reportedly exploring a “Great British Firewall” concept.
The headlines say this is about protecting children. The technical reality says it’s impossible. But the real story is neither of those things.
The real story is what has to happen to enforce it.
The identity trap
Here’s the question nobody in government wants to answer directly: how do you stop a child from using a VPN without checking whether every user is a child?
You can’t. The only way to restrict VPN access by age is to verify the age of every person who tries to use one. That means identity checks. For everyone. Every time.
This is the point the parliamentary petition against the VPN amendment makes explicitly: “The method and implementation would likely rely on 3rd-party facial scans or ID checks, which we believe are invasive. Thus, such a law would cause massive collateral damage for the millions of current users who rely on VPNs for privacy and security.”
A law ostensibly aimed at under-18s becomes, in practice, a requirement for every adult in the country to prove their identity to use a basic internet privacy tool. There is no technical architecture that restricts children without also requiring adults to identify themselves. The child protection framing is the wrapper. Universal digital identity verification is the product.
This matters because of what it represents: a fundamental shift in the relationship between the state and the citizen.
No mandate
Digital ID was not in Labour’s 2024 general election manifesto. Voters were not asked whether they wanted mandatory identity verification to use the internet. There was no public debate, no referendum, no campaign pledge. The Online Safety Act was a Conservative creation. The current government inherited it and has chosen to expand its reach rather than question its premises.
Over 450,000 people have signed a parliamentary petition calling for the Online Safety Act’s age verification requirements to be repealed. A separate petition specifically opposes the VPN amendment. The Open Rights Group has stated there is “little evidence that young people are using VPNs to bypass digital ID checks” and that the proposals “will have little impact on children’s online safety but will deter adults from using them or force people to hand over personal documents or biometric data to companies.”
This is not a government responding to public demand. This is a government creating infrastructure that the public has actively objected to, using child safety as justification for something far broader than child safety.
The consultation closes on 26 May 2026. If the pattern holds, the government will “review responses” and proceed anyway.
What a VPN actually does
A VPN creates an encrypted tunnel between your device and a server somewhere else in the world. Your internet provider sees encrypted data going to one IP address. They cannot see what’s inside it. Websites see traffic from the VPN server, not from you.
That’s it. The reason this concerns the government is that VPNs let users bypass the Online Safety Act’s age verification. Connect to a server in the Netherlands and as far as any website is concerned, you’re in the Netherlands. UK age checks don’t apply.
Ofcom reported that after age verification went live on 25 July 2025, UK daily active VPN users temporarily doubled to around 1.5 million before settling at about 1 million. The government sees this as a problem to solve. You could equally see it as a million citizens voting with their feet against a policy they didn’t ask for.
Why a VPN ban is technically impossible
Even setting aside the democratic objections, enforcement doesn’t work. This isn’t speculation. Countries with far more authoritarian governments and far fewer constraints have tried.
Commercial VPN blocking is whack-a-mole. Russia has been blocking VPN providers since 2017. VPN usage has increased every year. Providers rotate IP addresses faster than any blocklist can keep pace. NordVPN alone runs over 6,000 servers across 111 countries. Block them today, new ones appear tomorrow. The economics are stacked against the censor: a new server costs a provider a few pounds; identifying and blocking it costs the state orders of magnitude more.
Deep packet inspection doesn’t work either. China operates the most sophisticated censorship system ever built. Thousands of engineers. Machine learning. Active probing. Real-time traffic analysis. And VPNs still work in China. Modern circumvention tools like Shadowsocks, V2Ray, Xray, and Trojan-Go disguise VPN traffic as ordinary HTTPS web browsing. To a monitoring system, these connections look identical to someone browsing a normal website. Blocking them means blocking HTTPS. Blocking HTTPS means blocking the internet.
Domain fronting makes detection nearly impossible. This technique routes encrypted traffic through legitimate cloud services. The monitoring system sees a connection to google.com or amazonaws.com. The actual destination is hidden inside the encrypted payload. You cannot block it without blocking Google and Amazon Web Services.
The fundamental problem is mathematical. VPN traffic can be made indistinguishable from normal encrypted web traffic. Both are encrypted data between two endpoints. There is no reliable way to tell them apart without breaking the encryption that protects all internet commerce.
Self-provision: what anyone can do
Everything above assumes you’re using a commercial VPN provider that the government can identify. But you don’t need one. Anyone with basic technical ability can build their own, and none of these methods can be detected or blocked without breaking the internet for everyone.
A VPS and WireGuard. Rent a virtual private server from any of hundreds of providers worldwide. Hetzner in Germany, DigitalOcean in the US, OVH in France, or dozens of smaller operators in jurisdictions the UK has no leverage over. Cost: £3-5 per month. Install WireGuard, a VPN protocol that fits in about 4,000 lines of code. The setup can be automated with a single script. Your server has a unique IP address that no blocklist will ever contain, because it’s yours alone.
SSH tunnelling. Every Linux and macOS machine has SSH built in. One command — ssh -D 1080 user@server — creates a SOCKS proxy that routes your browser traffic through any remote server you have access to. No VPN software needed. The traffic looks like a standard SSH session, which millions of developers and sysadmins use daily. Blocking SSH would break every IT department in the country.
Outline by Jigsaw. Alphabet (Google’s parent) runs Jigsaw, a division focused on helping people in censored countries access the internet. Their tool Outline lets anyone create a personal VPN server with a few clicks. It uses Shadowsocks, designed specifically to be undetectable by Chinese censors. Free and open source.
Tor. The Tor network routes traffic through multiple encrypted relays worldwide. It’s slower than a VPN but essentially impossible to block comprehensively. China, Iran, and Russia all try. None have succeeded.
Residential proxies and mesh networks. Services route traffic through real residential IP addresses, making it indistinguishable from normal household internet use. Peer-to-peer mesh networks make each participant a relay for others. Blocking these means blocking residential broadband connections.
App store removal is theatre. The government could pressure Apple and Google to remove VPN apps from UK stores. On Android, sideloading is trivial. On both platforms, built-in VPN clients accept standard configuration files with no app needed. SSH, Shadowsocks, and WireGuard can all be compiled from source code. App store bans inconvenience the least technical users and stop nobody who cares.
Making it illegal doesn’t make it detectable
Criminalising VPN use doesn’t solve the detection problem. If you connect to your own VPS over an obfuscated protocol, your ISP sees encrypted traffic going to a random IP address. That’s identical to connecting to any cloud service, streaming platform, or web application. Proving you’re using a VPN rather than accessing a legitimate service requires either breaking the encryption on your traffic or installing monitoring software on your device. The first would destroy internet commerce. The second is surveillance-state territory.
And there’s the collateral damage. VPNs are how remote workers connect to corporate networks. The NHS uses them. Banks use them. Every multinational operating in the UK uses them. Any law would need exceptions so broad that enforcement against individuals becomes arbitrary and selective, which creates its own legal problems under the Human Rights Act.
The Russia and China lesson
Russia has spent nine years trying to ban VPNs. Usage goes up every year. The government blocks services, fines companies for advertising them, and users switch to lesser-known services, self-hosted solutions, and obfuscated protocols. Comprehensive failure.
China has the most sophisticated internet censorship in human history. Thousands of engineers, deep packet inspection, active probing, machine learning. VPNs still work. Research published in March 2026 documents circumvention tools consistently defeating the Great Firewall’s latest detection methods.
These are authoritarian states with no free press, no independent courts, and no obligation to care about collateral economic damage. The UK has all of those constraints and a fraction of the enforcement appetite. If Russia and China can’t do it, Britain has no chance.
The actual question
The technical argument is settled. VPN bans don’t work. Every expert quoted in every article about this topic says the same thing. The government knows this. GCHQ certainly knows this.
So why pursue it?
Because the point was never to ban VPNs. The point is to establish the principle that using the internet requires proving your identity. Age-gating VPNs is the mechanism. Once the infrastructure exists — requiring digital ID to access a VPN — the same infrastructure can be extended to anything. Social media. Email. Search engines. The consultation document is already asking about restricting children’s access to AI chatbots. The direction of travel is clear.
The question isn’t whether VPN bans work. They don’t, and the government knows they don’t. The question is whether British citizens are comfortable with a government — one that didn’t campaign on this, didn’t put it to a vote, and faces active public opposition — building the architecture of an identity-verified internet under the banner of child protection.
Over 450,000 people have already answered that question.
The consultation is open until 26 May. You can respond here: https://www.gov.uk/government/consultations/growing-up-in-the-online-world-a-national-consultation
Leave a Reply