Selfhosted

To someone watching network traffic, a VPN connection looks like two machines exchanging encrypted packets. You can't see the actual data inside the packet, but you can see all the metadata (who it's addressed to, how big it is, whether its TCP or UDP, when it's sent). From the metadata, you can make guesses about the content and VPN would be pretty easy to guess.

When sending a packet over the Internet, there's two parts of the address: the IP address and the port. The IP address is a specific Internet location, blocks of IP addresses are owned by groups (who owns what is public info) and there are many services that do geo-ip mappings. So if you're connecting to an IP address that belongs to a known VPN provider, that's easy.

The second part of the address is the port-number. Servers choose port-numbers to listen to and the common convention is to use well-known ports. So, for example, HTTPS traffic is on port 443. If you see a computer making a lot of requests to port 443, even though the traffic is encrypted we can guess that they're browsing the web. Wikipedia has a list (which is incomplete because new software can be written at any time and make up a new port that it prefers) and you can see lots of VPN software on there. If you're connecting to a port that's known to be used by VPN software, we can guess that you're using VPN software.

Once you're running VPN software on an unknown machine and have configured it to use a non-standard port, it's a bit harder to tell what's happening, but it's still possible to make a pretty confident guess. Some VPN setups use "split-tunnel" where some traffic goes over VPN and some over the public Internet. (This is most common in corporate use where private company traffic goes in the tunnel, but browsing Lemmy would go over public.) Sometimes, DNS doesn't go through the VPN which is a big give-away: you looked up "foo.com" and sent traffic to 172.67.137.159. Then you looked up "bar.org" and sent traffic to the same 172.67.137.159. Odds are that thing is a VPN (or other proxy).

Finally, you can just look at more complex patterns in the traffic. If you're interested, you could install Wireshark or just run tcpdump and watch your own network traffic. Basic web-browsing is very visible: you send a small request ("HTTP GET /index.html") and you get a much bigger response back. Then you send a flurry of smaller requests for all the page elements and get a bunch of bigger responses. Then there's a huuuuge pause. Different protocols will have different shapes (a MOBA game would probably show more even traffic back-and-forth).

You wouldn't be able to be absolutely confident with this, but over enough time and people you can get very close. Or you can just be a bit aggressive and incorrectly mark things as VPNs.

Deep level packet inspection, they detect patterns or whatever in encrypted traffic (and the lack of thereof) and ban the destination ip china-wide.

How they do I have no idea, but they do, on my direct first hand experience. Its not based on domain names, directly straight and total ip ban. All ports, all domains on that ip get banned forever just because you started using a VPN (OpenVPN in my case, it was a few years ago).